From: Roel Kluin Date: Thu, 1 Oct 2009 22:44:25 +0000 (-0700) Subject: serial167: fix read buffer overflow X-Git-Tag: firefly_0821_release~12235 X-Git-Url: http://plrg.eecs.uci.edu/git/?a=commitdiff_plain;h=f23fc156fb4294f678f1913a56da633fa57edb2d;p=firefly-linux-kernel-4.4.55.git serial167: fix read buffer overflow Check whether index is within bounds before grabbing the element. Also, since NR_PORTS is defined ARRAY_SIZE(cy_port), cy_port[NR_PORTS] is out of bounds as well. [akpm@linux-foundation.org: cleanup, remove (long) casts] Signed-off-by: Roel Kluin Cc: Alan Cox Cc: Jiri Slaby Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- diff --git a/drivers/char/serial167.c b/drivers/char/serial167.c index 5942a9d674c0..452370af95de 100644 --- a/drivers/char/serial167.c +++ b/drivers/char/serial167.c @@ -220,8 +220,7 @@ static inline int serial_paranoia_check(struct cyclades_port *info, char *name, return 1; } - if ((long)info < (long)(&cy_port[0]) - || (long)(&cy_port[NR_PORTS]) < (long)info) { + if (info < &cy_port[0] || info >= &cy_port[NR_PORTS]) { printk("Warning: cyclades_port out of range for (%s) in %s\n", name, routine); return 1; @@ -520,15 +519,13 @@ static irqreturn_t cd2401_tx_interrupt(int irq, void *dev_id) panic("TxInt on debug port!!!"); } #endif - - info = &cy_port[channel]; - /* validate the port number (as configured and open) */ if ((channel < 0) || (NR_PORTS <= channel)) { base_addr[CyIER] &= ~(CyTxMpty | CyTxRdy); base_addr[CyTEOIR] = CyNOTRANS; return IRQ_HANDLED; } + info = &cy_port[channel]; info->last_active = jiffies; if (info->tty == 0) { base_addr[CyIER] &= ~(CyTxMpty | CyTxRdy);