summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRoel Kluin <roel.kluin@gmail.com>2009-09-21 17:03:54 -0700
committerLinus Torvalds <torvalds@linux-foundation.org>2009-09-22 07:17:42 -0700
commit470967dc6c38696f853b7f338eb9d743c28a9e11 (patch)
tree9dac40e966a5bb4a902f9cdb8ea0701fe964b85f
parent734f3fa18d460995c8621cf2331b7fba88c977ce (diff)
downloadkernel-common-470967dc6c38696f853b7f338eb9d743c28a9e11.tar.gz
kernel-common-470967dc6c38696f853b7f338eb9d743c28a9e11.tar.bz2
kernel-common-470967dc6c38696f853b7f338eb9d743c28a9e11.zip
pcmcia: fix read buffer overflow
If count > 0 and dev->rlen == dev->rpos and dev->proto == 0 then we read and write dev->rbuf[-1]; Signed-off-by: Roel Kluin <roel.kluin@gmail.com> Cc: Harald Welte <laforge@gnumonks.org> Cc: Dominik Brodowski <linux@dominikbrodowski.net> Cc: Greg KH <greg@kroah.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-rw-r--r--drivers/char/pcmcia/cm4000_cs.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/char/pcmcia/cm4000_cs.c b/drivers/char/pcmcia/cm4000_cs.c
index 881934c068c8..c250a31efa53 100644
--- a/drivers/char/pcmcia/cm4000_cs.c
+++ b/drivers/char/pcmcia/cm4000_cs.c
@@ -1017,7 +1017,7 @@ static ssize_t cmm_read(struct file *filp, __user char *buf, size_t count,
}
}
- if (dev->proto == 0 && count > dev->rlen - dev->rpos) {
+ if (dev->proto == 0 && count > dev->rlen - dev->rpos && i) {
DEBUGP(4, dev, "T=0 and count > buffer\n");
dev->rbuf[i] = dev->rbuf[i - 1];
dev->rbuf[i - 1] = dev->procbyte;