From patchwork Mon Dec  1 14:07:03 2014
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "Lespiau, Damien" <damien.lespiau@intel.com>
X-Patchwork-Id: 5412731
Return-Path: <dri-devel-bounces@lists.freedesktop.org>
X-Original-To: patchwork-dri-devel@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.19.201])
	by patchwork1.web.kernel.org (Postfix) with ESMTP id 5EF719F1CD
	for <patchwork-dri-devel@patchwork.kernel.org>;
	Mon,  1 Dec 2014 14:07:38 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id 91E662010B
	for <patchwork-dri-devel@patchwork.kernel.org>;
	Mon,  1 Dec 2014 14:07:37 +0000 (UTC)
Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177])
	by mail.kernel.org (Postfix) with ESMTP id 97EB9202A1
	for <patchwork-dri-devel@patchwork.kernel.org>;
	Mon,  1 Dec 2014 14:07:36 +0000 (UTC)
Received: from gabe.freedesktop.org (localhost [127.0.0.1])
	by gabe.freedesktop.org (Postfix) with ESMTP id A5A9E899D4;
	Mon,  1 Dec 2014 06:07:35 -0800 (PST)
X-Original-To: dri-devel@lists.freedesktop.org
Delivered-To: dri-devel@lists.freedesktop.org
Received: from mga14.intel.com (mga14.intel.com [192.55.52.115])
	by gabe.freedesktop.org (Postfix) with ESMTP id 34293889BE
	for <dri-devel@lists.freedesktop.org>;
	Mon,  1 Dec 2014 06:07:34 -0800 (PST)
Received: from fmsmga001.fm.intel.com ([10.253.24.23])
	by fmsmga103.fm.intel.com with ESMTP; 01 Dec 2014 05:59:56 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.07,494,1413270000"; d="scan'208";a="630777997"
Received: from nivnitsk-mobl1.ccr.corp.intel.com (HELO
	strange.ger.corp.intel.com) ([10.252.14.110])
	by fmsmga001.fm.intel.com with ESMTP; 01 Dec 2014 06:07:05 -0800
From: Damien Lespiau <damien.lespiau@intel.com>
To: dri-devel@lists.freedesktop.org
Subject: [PATCH libdrm] drm: Avoid out of bound write in drmOpenByName()
Date: Mon,  1 Dec 2014 14:07:03 +0000
Message-Id: <1417442823-10301-1-git-send-email-damien.lespiau@intel.com>
X-Mailer: git-send-email 1.8.3.1
X-BeenThere: dri-devel@lists.freedesktop.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: Direct Rendering Infrastructure - Development
	<dri-devel.lists.freedesktop.org>
List-Unsubscribe: <http://lists.freedesktop.org/mailman/options/dri-devel>,
	<mailto:dri-devel-request@lists.freedesktop.org?subject=unsubscribe>
List-Archive: <http://lists.freedesktop.org/archives/dri-devel>
List-Post: <mailto:dri-devel@lists.freedesktop.org>
List-Help: <mailto:dri-devel-request@lists.freedesktop.org?subject=help>
List-Subscribe: <http://lists.freedesktop.org/mailman/listinfo/dri-devel>,
	<mailto:dri-devel-request@lists.freedesktop.org?subject=subscribe>
MIME-Version: 1.0
Errors-To: dri-devel-bounces@lists.freedesktop.org
Sender: "dri-devel" <dri-devel-bounces@lists.freedesktop.org>
X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_MED,
	T_RP_MATCHES_RCVD,
	UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

In the fallback code that looks for devices in /proc, the read() may
return with -1 in case of error (interruption from a signal for
instance). We'll then happily write '\0' to buf[-2].

As we didn't really care about the signal interruption before, I kept it
the same way, just making sure that retcode is > 0 to avoid that case.

This was found by static analysis.

Signed-off-by: Damien Lespiau <damien.lespiau@intel.com>
---
 xf86drm.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/xf86drm.c b/xf86drm.c
index d900b4b..106b8ab 100644
--- a/xf86drm.c
+++ b/xf86drm.c
@@ -579,7 +579,7 @@ static int drmOpenByName(const char *name)
 	if ((fd = open(proc_name, 0, 0)) >= 0) {
 	    retcode = read(fd, buf, sizeof(buf)-1);
 	    close(fd);
-	    if (retcode) {
+	    if (retcode > 0) {
 		buf[retcode-1] = '\0';
 		for (driver = pt = buf; *pt && *pt != ' '; ++pt)
 		    ;