IIO: Documentation: iio_utils: Prevent buffer overflow

The first part of build_channel_array()identifies the number of enabled channels.
Further down this count is used to allocate the ci_array. The next section parses the
scan_elements directory again, and fills ci_array regardless if the channel is enabled or not.
So if less than available channels are enabled ci_array memory is overflowed.

This fix makes sure that we allocate enough memory. But the whole approach looks a bit
cumbersome to me. Why not allocate memory for MAX_CHANNLES, less say 64
(I never seen a part with more than that channels). And skip the first part entirely.

Signed-off-by: Michael Hennerich <michael.hennerich@analog.com>
Acked-by: Jonathan Cameron <jic23@cam.ac.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

diff --git a/drivers/staging/iio/Documentation/iio_utils.h b/drivers/staging/iio/Documentation/iio_utils.h
index 4b023aa141984153d143018a76b767de0dcc6267..bde231352a87c2b8a66cd96cb56347c57c8589f4 100644 (file)
--- a/drivers/staging/iio/Documentation/iio_utils.h
+++ b/drivers/staging/iio/Documentation/iio_utils.h
@@ -290,15 +290,17 @@ inline int build_channel_array(const char *device_dir,
                        fscanf(sysfsfp, "%u", &ret);
                        if (ret == 1)
                                (*counter)++;
+                       count++;
                        fclose(sysfsfp);
                        free(filename);
                }
-       *ci_array = malloc(sizeof(**ci_array)*(*counter));
+       *ci_array = malloc(sizeof(**ci_array)*count);
        if (*ci_array == NULL) {
                ret = -ENOMEM;
                goto error_close_dir;
        }
        seekdir(dp, 0);
+       count = 0;
        while (ent = readdir(dp), ent != NULL) {
                if (strcmp(ent->d_name + strlen(ent->d_name) - strlen("_en"),
                           "_en") == 0) {