Re: [PATCH] iio: chemical: mhz19b: bound receive buffer copy

Next message: David Timber: "Re: [PATCH] drivers/char/mem.c: fix null and zero dev lseek"
Previous message: David Timber: "[PATCH v1] drivers/char/mem.c: fix null and zero dev lseek"
In reply to: Pengpeng Hou: "[PATCH] iio: chemical: mhz19b: bound receive buffer copy"
Next in thread: Pengpeng Hou: "[PATCH v2] iio: chemical: mhz19b: bound receive buffer copy"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Gyeyoung Baek

Date: Sun Mar 22 2026 - 07:52:53 EST

Hello Pengpeng,

On Sun, Mar 22, 2026 at 12:19 PM Pengpeng Hou <pengpeng@xxxxxxxxxxx> wrote:
>
> `mhz19b_receive_buf()` appends bytes to the fixed 9-byte command buffer
> without first checking that the new chunk fits in the remaining space.
> A single receive callback can therefore write past the end of `st->buf`
> before the driver sees that the command is complete.
>
> Drop overlong chunks and reset the partial command state before the
> copy.
>
> Signed-off-by: Pengpeng Hou <pengpeng@xxxxxxxxxxx>
> ---
> drivers/iio/chemical/mhz19b.c | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/drivers/iio/chemical/mhz19b.c b/drivers/iio/chemical/mhz19b.c
> index 3c64154918b1..a028216fa2a9 100644
> --- a/drivers/iio/chemical/mhz19b.c
> +++ b/drivers/iio/chemical/mhz19b.c
> @@ -241,6 +241,11 @@ static size_t mhz19b_receive_buf(struct serdev_device *serdev,
> struct iio_dev *indio_dev = dev_get_drvdata(&serdev->dev);
> struct mhz19b_state *st = iio_priv(indio_dev);
>
> + if (len > sizeof(st->buf) - st->buf_idx) {
> + st->buf_idx = 0;
> + return len;
> + }
> +

It would be better to handle err immediately on the condition, but it
still looks much better than before.

Acked-by: Gyeyoung Baek <gye976@xxxxxxxxx>

--
Thanks,
Gyeyoung