[PATCH] mfd: Fix off-by-one value range checking fortps65910_i2c_write

From: Axel Lin
Date: Fri May 13 2011 - 05:14:11 EST

Next message: Carl-Johan Kjellander: "Re: Sched_autogroup and niced processes"
Previous message: Tejun Heo: "Re: [PATCH 10/11] ptrace: move JOBCTL_TRAPPING wait to wait(2) andptrace_check_attach()"
Next in thread: Samuel Ortiz: "Re: [PATCH] mfd: Fix off-by-one value range checking fortps65910_i2c_write"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

If bytes == (TPS65910_MAX_REGISTER + 1), we have a buffer overflow when
doing memcpy(&msg[1], src, bytes).

Signed-off-by: Axel Lin <axel.lin@xxxxxxxxx>
---
drivers/mfd/tps65910.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/drivers/mfd/tps65910.c b/drivers/mfd/tps65910.c
index bf649cf..e318248 100644
--- a/drivers/mfd/tps65910.c
+++ b/drivers/mfd/tps65910.c
@@ -71,7 +71,7 @@ static int tps65910_i2c_write(struct tps65910 *tps65910, u8 reg,
u8 msg[TPS65910_MAX_REGISTER + 1];
int ret;

- if (bytes > (TPS65910_MAX_REGISTER + 1))
+ if (bytes > TPS65910_MAX_REGISTER)
return -EINVAL;

msg[0] = reg;
--
1.7.1

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Carl-Johan Kjellander: "Re: Sched_autogroup and niced processes"
Previous message: Tejun Heo: "Re: [PATCH 10/11] ptrace: move JOBCTL_TRAPPING wait to wait(2) andptrace_check_attach()"
Next in thread: Samuel Ortiz: "Re: [PATCH] mfd: Fix off-by-one value range checking fortps65910_i2c_write"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]