Re: [PATCH] iio: dac: ad3552r-hs: fix out-of-bound write in ad3552r_hs_write_data_source

On Mon, Oct 27, 2025 at 11:07:13PM +0800, Miaoqian Lin wrote:

When simple_write_to_buffer() succeeds, it returns the number of bytes actually copied to the buffer, which may be less than the requested 'count' if the buffer size is insufficient. However, the current code incorrectly uses 'count' as the index for null termination instead of the actual bytes copied, leading to out-of-bound write.

Add a check for the count and use the return value as the index.

...

• if (count >= sizeof(buf))

• return -ENOSPC;
  

But this makes the validation too strict now.

ret = simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, userbuf, count);

You definitely failed to read the code that implements the above.

if (ret < 0) return ret;

• buf[count] = '\0';

• buf[ret] = '\0';

NAK.

This patch is an unneeded churn.