projects / openwrt / staging / blogic.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 734f3fa)
pcmcia: fix read buffer overflow
authorRoel Kluin <[email protected]>
Tue, 22 Sep 2009 00:03:54 +0000 (17:03 -0700)
committerLinus Torvalds <[email protected]>
Tue, 22 Sep 2009 14:17:42 +0000 (07:17 -0700)
If count > 0 and dev->rlen == dev->rpos and dev->proto == 0 then we read
and write dev->rbuf[-1];

Signed-off-by: Roel Kluin <[email protected]>
Cc: Harald Welte <[email protected]>
Cc: Dominik Brodowski <[email protected]>
Cc: Greg KH <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
drivers/char/pcmcia/cm4000_cs.c patch | blob | history

diff --git a/drivers/char/pcmcia/cm4000_cs.c b/drivers/char/pcmcia/cm4000_cs.c
index 881934c068c84e1c3599b5581a65bc7dca8d1ebf..c250a31efa537c1f15ab8466b20bcc779ba214f3 100644 (file)
--- a/drivers/char/pcmcia/cm4000_cs.c
+++ b/drivers/char/pcmcia/cm4000_cs.c
@@ -1017,7 +1017,7 @@ static ssize_t cmm_read(struct file *filp, __user char *buf, size_t count,
                }
        }
 
-       if (dev->proto == 0 && count > dev->rlen - dev->rpos) {
+       if (dev->proto == 0 && count > dev->rlen - dev->rpos && i) {
                DEBUGP(4, dev, "T=0 and count > buffer\n");
                dev->rbuf[i] = dev->rbuf[i - 1];
                dev->rbuf[i - 1] = dev->procbyte;
John Crispins staging tree