pcmcia: fix read buffer overflow
If count > 0 and dev->rlen == dev->rpos and dev->proto == 0 then we read and write dev->rbuf[-1]; Signed-off-by: Roel Kluin <roel.kluin@gmail.com> Cc: Harald Welte <laforge@gnumonks.org> Cc: Dominik Brodowski <linux@dominikbrodowski.net> Cc: Greg KH <greg@kroah.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
This commit is contained in:
parent
734f3fa18d
commit
470967dc6c
1 changed files with 1 additions and 1 deletions
|
@ -1017,7 +1017,7 @@ static ssize_t cmm_read(struct file *filp, __user char *buf, size_t count,
|
|||
}
|
||||
}
|
||||
|
||||
if (dev->proto == 0 && count > dev->rlen - dev->rpos) {
|
||||
if (dev->proto == 0 && count > dev->rlen - dev->rpos && i) {
|
||||
DEBUGP(4, dev, "T=0 and count > buffer\n");
|
||||
dev->rbuf[i] = dev->rbuf[i - 1];
|
||||
dev->rbuf[i - 1] = dev->procbyte;
|
||||
|
|
Loading…
Reference in a new issue