Re: [PATCH] iio: dac: ad3552r-hs: fix out-of-bound write in ad3552r_hs_write_data_source

On Mon, Oct 27, 2025 at 11:07:13PM +0800, Miaoqian Lin wrote:

When simple_write_to_buffer() succeeds, it returns the number of bytes actually copied to the buffer, which may be less than the requested 'count' if the buffer size is insufficient. However, the current code incorrectly uses 'count' as the index for null termination instead of the actual bytes copied, leading to out-of-bound write.

Add a check for the count and use the return value as the index.

...

• if (count >= sizeof(buf))

• return -ENOSPC;
  

This is already done below.

ret = simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, userbuf, count); if (ret < 0) return ret;

...

• buf[count] = '\0';

• buf[ret] = '\0';

Do we have an actual issue right now? Can you model it and show a real traceback?