[PATCH] mfd: tps6507x - fix off-by-one value range checking

From: Axel Lin
Date: Tue Oct 12 2010 - 22:43:37 EST

Next message: Dave Chinner: "Re: [PATCH 00/17] [RFC] soft and dynamic dirty throttling limits"
Previous message: Hitoshi Mitake: "Re: [PATCH 1/2] lockdep: check the depth of subclass"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

We use msg[0] for device register.
If bytes == (TPS6507X_MAX_REGISTER + 1),
we got a buffer overflow when doing memcpy(&msg[1], src, bytes);
Thus we must ensure bytes not greater than TPS6507X_MAX_REGISTER.

Signed-off-by: Axel Lin <axel.lin@xxxxxxxxx>
---
drivers/mfd/tps6507x.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/drivers/mfd/tps6507x.c b/drivers/mfd/tps6507x.c
index fc01976..33ba772 100644
--- a/drivers/mfd/tps6507x.c
+++ b/drivers/mfd/tps6507x.c
@@ -68,7 +68,7 @@ static int tps6507x_i2c_write_device(struct tps6507x_dev *tps6507x, char reg,
u8 msg[TPS6507X_MAX_REGISTER + 1];
int ret;

- if (bytes > (TPS6507X_MAX_REGISTER + 1))
+ if (bytes > TPS6507X_MAX_REGISTER)
return -EINVAL;

msg[0] = reg;
--
1.7.2

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Dave Chinner: "Re: [PATCH 00/17] [RFC] soft and dynamic dirty throttling limits"
Previous message: Hitoshi Mitake: "Re: [PATCH 1/2] lockdep: check the depth of subclass"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]