[PATCH] char: pcmcia: fix possible array index out of bounds in set_protocol()
From: Yu Kuai
Date: Fri May 21 2021 - 05:59:06 EST
The length of array 'pts_reply' is 4, and the loop in set_protocol()
will access array element from 0 to num_bytes_read - 1. Thus if
io_read_num_rec_bytes() gets 'num_bytes_read' more than 4, it will
cause index out of bounds errors.
Fixes: c1986ee9bea3 ("[PATCH] New Omnikey Cardman 4000 driver")
Signed-off-by: Yu Kuai <yukuai3@xxxxxxxxxx>
---
drivers/char/pcmcia/cm4000_cs.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/drivers/char/pcmcia/cm4000_cs.c b/drivers/char/pcmcia/cm4000_cs.c
index 89681f07bc78..86b7c8e44198 100644
--- a/drivers/char/pcmcia/cm4000_cs.c
+++ b/drivers/char/pcmcia/cm4000_cs.c
@@ -564,16 +564,15 @@ static int set_protocol(struct cm4000_dev *dev, struct ptsreq *ptsreq)
/* Read PPS reply */
DEBUGP(5, dev, "Read PPS reply\n");
- for (i = 0; i < num_bytes_read; i++) {
+ for (i = 0; i < 4; i++) {
xoutb(i, REG_BUF_ADDR(iobase));
pts_reply[i] = inb(REG_BUF_DATA(iobase));
}
#ifdef CM4000_DEBUG
DEBUGP(2, dev, "PTSreply: ");
- for (i = 0; i < num_bytes_read; i++) {
+ for (i = 0; i < 4; i++)
pr_debug("0x%.2x ", pts_reply[i]);
- }
pr_debug("\n");
#endif /* CM4000_DEBUG */
--
2.25.4