diff options
author | Roel Kluin <roel.kluin@gmail.com> | 2009-09-22 02:03:54 +0200 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2009-09-22 16:17:42 +0200 |
commit | 470967dc6c38696f853b7f338eb9d743c28a9e11 (patch) | |
tree | 9dac40e966a5bb4a902f9cdb8ea0701fe964b85f | |
parent | pcmcia: yenta: add missing __devexit marking (diff) | |
download | linux-470967dc6c38696f853b7f338eb9d743c28a9e11.tar.xz linux-470967dc6c38696f853b7f338eb9d743c28a9e11.zip |
pcmcia: fix read buffer overflow
If count > 0 and dev->rlen == dev->rpos and dev->proto == 0 then we read
and write dev->rbuf[-1];
Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Cc: Harald Welte <laforge@gnumonks.org>
Cc: Dominik Brodowski <linux@dominikbrodowski.net>
Cc: Greg KH <greg@kroah.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-rw-r--r-- | drivers/char/pcmcia/cm4000_cs.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/char/pcmcia/cm4000_cs.c b/drivers/char/pcmcia/cm4000_cs.c index 881934c068c8..c250a31efa53 100644 --- a/drivers/char/pcmcia/cm4000_cs.c +++ b/drivers/char/pcmcia/cm4000_cs.c @@ -1017,7 +1017,7 @@ static ssize_t cmm_read(struct file *filp, __user char *buf, size_t count, } } - if (dev->proto == 0 && count > dev->rlen - dev->rpos) { + if (dev->proto == 0 && count > dev->rlen - dev->rpos && i) { DEBUGP(4, dev, "T=0 and count > buffer\n"); dev->rbuf[i] = dev->rbuf[i - 1]; dev->rbuf[i - 1] = dev->procbyte; |