| Message ID | 1479089394-30765-1-git-send-email-hongyan.song@intel.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On Mon, 2016-11-14 at 02:09 +0000, Song Hongyan wrote: > When user tried to read some fields like hysteresis from IIO sysfs on > some > systems, it fails. The reason is that this field is a byte field and > caller > of sensor_hub_get_feature() passes a buffer of 4 bytes. Here the > function > sensor_hub_get_feature() copies the single byte from the report to > the > caller buffer and returns "1" as the number of bytes copied. Is the following sentence accurate? > So caller > can use the return value, which is actually not right. Caller could have used a single byte from the result buffer as this is valid data ignoring other bytes. > Since this is done by multiple callers, if we change the > sensor_hub_get_feature() can make sure the caller buffer is > initialized > with 0s then we don't need to change all functions. > > Signed-off-by: Song Hongyan <hongyan.song@intel.com> > --- > drivers/hid/hid-sensor-hub.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/drivers/hid/hid-sensor-hub.c b/drivers/hid/hid-sensor- > hub.c > index 658a607..b74d954 100644 > --- a/drivers/hid/hid-sensor-hub.c > +++ b/drivers/hid/hid-sensor-hub.c > @@ -252,6 +252,7 @@ int sensor_hub_get_feature(struct > hid_sensor_hub_device *hsdev, u32 report_id, > int report_size; > int ret = 0; > > + memset(buffer, 0, buffer_size); > mutex_lock(&data->mutex); > report = sensor_hub_report(report_id, hsdev->hdev, > HID_FEATURE_REPORT); > if (!report || (field_index >= report->maxfield) ||
diff --git a/drivers/hid/hid-sensor-hub.c b/drivers/hid/hid-sensor-hub.c index 658a607..b74d954 100644 --- a/drivers/hid/hid-sensor-hub.c +++ b/drivers/hid/hid-sensor-hub.c @@ -252,6 +252,7 @@ int sensor_hub_get_feature(struct hid_sensor_hub_device *hsdev, u32 report_id, int report_size; int ret = 0; + memset(buffer, 0, buffer_size); mutex_lock(&data->mutex); report = sensor_hub_report(report_id, hsdev->hdev, HID_FEATURE_REPORT); if (!report || (field_index >= report->maxfield) ||
When user tried to read some fields like hysteresis from IIO sysfs on some systems, it fails. The reason is that this field is a byte field and caller of sensor_hub_get_feature() passes a buffer of 4 bytes. Here the function sensor_hub_get_feature() copies the single byte from the report to the caller buffer and returns "1" as the number of bytes copied. So caller can use the return value, which is actually not right. Since this is done by multiple callers, if we change the sensor_hub_get_feature() can make sure the caller buffer is initialized with 0s then we don't need to change all functions. Signed-off-by: Song Hongyan <hongyan.song@intel.com> --- drivers/hid/hid-sensor-hub.c | 1 + 1 file changed, 1 insertion(+)