diff mbox

[PATCHv2,2/4] DSPBRIDGE: Heuristic fixes of strlen/malloc out by one

Message ID 1246978928-7139-2-git-send-email-ameya.palande@nokia.com (mailing list archive)
State Not Applicable, archived
Headers show

Commit Message

Ameya Palande July 7, 2009, 3:02 p.m. UTC 
From: Phil Carmody <ext-phil.2.carmody@nokia.com>

I say 'heuristic', as I can't prove they're wrong, they just look
wrong, and for that reason should be given extra close scrutiny.
These are basically just the old malloc-one-more-than-strlen.

Signed-off-by: Phil Carmody <ext-phil.2.carmody@nokia.com>
---
 drivers/dsp/bridge/pmgr/wcd.c |   11 ++++++-----
 1 files changed, 6 insertions(+), 5 deletions(-)

Comments

Guzman Lugo, Fernando July 9, 2009, 11:52 p.m. UTC | #1 
Thanks good patch.

> -----Original Message-----
> From: Ameya Palande [mailto:ameya.palande@nokia.com]
> Sent: Tuesday, July 07, 2009 10:02 AM
> To: linux-omap@vger.kernel.org
> Cc: Guzman Lugo, Fernando; Kanigeri, Hari; ext-phil.2.carmody@nokia.com
> Subject: [PATCHv2 2/4] DSPBRIDGE: Heuristic fixes of strlen/malloc out by
> one
> 
> From: Phil Carmody <ext-phil.2.carmody@nokia.com>
> 
> I say 'heuristic', as I can't prove they're wrong, they just look
> wrong, and for that reason should be given extra close scrutiny.
> These are basically just the old malloc-one-more-than-strlen.
> 
> Signed-off-by: Phil Carmody <ext-phil.2.carmody@nokia.com>
> ---
>  drivers/dsp/bridge/pmgr/wcd.c |   11 ++++++-----
>  1 files changed, 6 insertions(+), 5 deletions(-)
> 
> diff --git a/drivers/dsp/bridge/pmgr/wcd.c b/drivers/dsp/bridge/pmgr/wcd.c
> index aaf3019..563a1d8 100644
> --- a/drivers/dsp/bridge/pmgr/wcd.c
> +++ b/drivers/dsp/bridge/pmgr/wcd.c
> @@ -532,8 +532,9 @@ u32 MGRWRAP_RegisterObject(union Trapped_Args *args)
>  	cp_fm_usr(&pUuid, args->ARGS_MGR_REGISTEROBJECT.pUuid, status, 1);
>  	if (DSP_FAILED(status))
>  		goto func_end;
> +	/* pathSize is increased by 1 to accommodate NULL */
>  	pathSize = strlen_user((char *)
> -				args->ARGS_MGR_REGISTEROBJECT.pszPathName);
> +			args->ARGS_MGR_REGISTEROBJECT.pszPathName) + 1;
>  	pszPathName = MEM_Alloc(pathSize, MEM_NONPAGED);
>  	if (!pszPathName)
>  		goto func_end;
> @@ -544,7 +545,6 @@ u32 MGRWRAP_RegisterObject(union Trapped_Args *args)
>  		status = DSP_EPOINTER;
>  		goto func_end;
>  	}
> -	pszPathName[pathSize] = '\0';
> 
>  	GT_1trace(WCD_debugMask, GT_ENTER,
>  		 "MGRWRAP_RegisterObject: entered pg2hMsg "
> @@ -904,7 +904,8 @@ u32 PROCWRAP_Load(union Trapped_Args *args)
>  		if (argv[i] != NULL) {
>                          /* User space pointer to argument */
>                         temp = (char *) argv[i];
> -                       len = strlen_user((char *)temp);
> +			/* len is increased by 1 to accommodate NULL */
> +			len = strlen_user((char *)temp) + 1;
>  			/* Kernel space pointer to argument */
>  			argv[i] = MEM_Alloc(len, MEM_NONPAGED);
>  			if (argv[i] == NULL) {
> @@ -914,7 +915,6 @@ u32 PROCWRAP_Load(union Trapped_Args *args)
>  			cp_fm_usr(argv[i], temp, status, len);
>  			if (DSP_FAILED(status))
>  				goto func_cont;
> -
>  		}
>  	}
>  	/* TODO: validate this */
> @@ -937,7 +937,8 @@ u32 PROCWRAP_Load(union Trapped_Args *args)
>  		for (i = 0; DSP_SUCCEEDED(status) && (envp[i] != NULL); i++) {
>                          /* User space pointer to argument */
>                         temp = (char *)envp[i];
> -                       len = strlen_user((char *)temp);
> +			/* len is increased by 1 to accommodate NULL */
> +			len = strlen_user((char *)temp) + 1;
>  			/* Kernel space pointer to argument */
>  			envp[i] = MEM_Alloc(len, MEM_NONPAGED);
>  			if (envp[i] == NULL) {
> --
> 1.6.2.4
> 

Acked-by Fernando Guzman Lugo <x0095840@ti.com>

--
To unsubscribe from this list: send the line "unsubscribe linux-omap" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
diff mbox

Patch

diff --git a/drivers/dsp/bridge/pmgr/wcd.c b/drivers/dsp/bridge/pmgr/wcd.c
index aaf3019..563a1d8 100644
--- a/drivers/dsp/bridge/pmgr/wcd.c
+++ b/drivers/dsp/bridge/pmgr/wcd.c
@@ -532,8 +532,9 @@  u32 MGRWRAP_RegisterObject(union Trapped_Args *args)
 	cp_fm_usr(&pUuid, args->ARGS_MGR_REGISTEROBJECT.pUuid, status, 1);
 	if (DSP_FAILED(status))
 		goto func_end;
+	/* pathSize is increased by 1 to accommodate NULL */
 	pathSize = strlen_user((char *)
-				args->ARGS_MGR_REGISTEROBJECT.pszPathName);
+			args->ARGS_MGR_REGISTEROBJECT.pszPathName) + 1;
 	pszPathName = MEM_Alloc(pathSize, MEM_NONPAGED);
 	if (!pszPathName)
 		goto func_end;
@@ -544,7 +545,6 @@  u32 MGRWRAP_RegisterObject(union Trapped_Args *args)
 		status = DSP_EPOINTER;
 		goto func_end;
 	}
-	pszPathName[pathSize] = '\0';
 
 	GT_1trace(WCD_debugMask, GT_ENTER,
 		 "MGRWRAP_RegisterObject: entered pg2hMsg "
@@ -904,7 +904,8 @@  u32 PROCWRAP_Load(union Trapped_Args *args)
 		if (argv[i] != NULL) {
                         /* User space pointer to argument */
                        temp = (char *) argv[i];
-                       len = strlen_user((char *)temp);
+			/* len is increased by 1 to accommodate NULL */
+			len = strlen_user((char *)temp) + 1;
 			/* Kernel space pointer to argument */
 			argv[i] = MEM_Alloc(len, MEM_NONPAGED);
 			if (argv[i] == NULL) {
@@ -914,7 +915,6 @@  u32 PROCWRAP_Load(union Trapped_Args *args)
 			cp_fm_usr(argv[i], temp, status, len);
 			if (DSP_FAILED(status))
 				goto func_cont;
-
 		}
 	}
 	/* TODO: validate this */
@@ -937,7 +937,8 @@  u32 PROCWRAP_Load(union Trapped_Args *args)
 		for (i = 0; DSP_SUCCEEDED(status) && (envp[i] != NULL); i++) {
                         /* User space pointer to argument */
                        temp = (char *)envp[i];
-                       len = strlen_user((char *)temp);
+			/* len is increased by 1 to accommodate NULL */
+			len = strlen_user((char *)temp) + 1;
 			/* Kernel space pointer to argument */
 			envp[i] = MEM_Alloc(len, MEM_NONPAGED);
 			if (envp[i] == NULL) {