[PATCH] mfd: Fix off-by-one value range checking for tps65912_i2c_write

From: Axel Lin
Date: Fri Jun 24 2011 - 03:34:16 EST

Next message: Ivo Van Doorn: "Re: [PATCH 1/2] rt2x00: Fix unspeficied typo"
Previous message: Chris Evans: "Re: [PATCH v9 05/13] seccomp_filter: Document what seccomp_filter isand how it works."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

If bytes == (TPS6591X_MAX_REGISTER + 1), we have a buffer overflow when
doing memcpy(&msg[1], src, bytes).

Signed-off-by: Axel Lin <axel.lin@xxxxxxxxx>
---
drivers/mfd/tps65912-i2c.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/drivers/mfd/tps65912-i2c.c b/drivers/mfd/tps65912-i2c.c
index 9ed123a..c041f2c 100644
--- a/drivers/mfd/tps65912-i2c.c
+++ b/drivers/mfd/tps65912-i2c.c
@@ -57,7 +57,7 @@ static int tps65912_i2c_write(struct tps65912 *tps65912, u8 reg,
u8 msg[TPS6591X_MAX_REGISTER + 1];
int ret;

- if (bytes > (TPS6591X_MAX_REGISTER + 1))
+ if (bytes > TPS6591X_MAX_REGISTER)
return -EINVAL;

msg[0] = reg;
--
1.7.4.1

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Ivo Van Doorn: "Re: [PATCH 1/2] rt2x00: Fix unspeficied typo"
Previous message: Chris Evans: "Re: [PATCH v9 05/13] seccomp_filter: Document what seccomp_filter isand how it works."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]