[PATCH] serial167: Read buffer overflow
From: Roel Kluin
Date: Mon Aug 03 2009 - 08:12:21 EST
Check whether index is within bounds before grabbing the element.
Also, since NR_PORTS is defined ARRAY_SIZE(cy_port),
cy_port[NR_PORTS] is out of bounds as well.
Signed-off-by: Roel Kluin <roel.kluin@xxxxxxxxx>
---
diff --git a/drivers/char/serial167.c b/drivers/char/serial167.c
index 51e7a46..affa5e2 100644
--- a/drivers/char/serial167.c
+++ b/drivers/char/serial167.c
@@ -222,7 +222,7 @@ static inline int serial_paranoia_check(struct cyclades_port *info, char *name,
}
if ((long)info < (long)(&cy_port[0])
- || (long)(&cy_port[NR_PORTS]) < (long)info) {
+ || (long)(&cy_port[NR_PORTS-1]) < (long)info) {
printk("Warning: cyclades_port out of range for (%s) in %s\n",
name, routine);
return 1;
@@ -521,15 +521,13 @@ static irqreturn_t cd2401_tx_interrupt(int irq, void *dev_id)
panic("TxInt on debug port!!!");
}
#endif
-
- info = &cy_port[channel];
-
/* validate the port number (as configured and open) */
if ((channel < 0) || (NR_PORTS <= channel)) {
base_addr[CyIER] &= ~(CyTxMpty | CyTxRdy);
base_addr[CyTEOIR] = CyNOTRANS;
return IRQ_HANDLED;
}
+ info = &cy_port[channel];
info->last_active = jiffies;
if (info->tty == 0) {
base_addr[CyIER] &= ~(CyTxMpty | CyTxRdy);
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/