serial167: fix read buffer overflow
Check whether index is within bounds before grabbing the element. Also, since NR_PORTS is defined ARRAY_SIZE(cy_port), cy_port[NR_PORTS] is out of bounds as well. [akpm@linux-foundation.org: cleanup, remove (long) casts] Signed-off-by: Roel Kluin <roel.kluin@gmail.com> Cc: Alan Cox <alan@lxorguk.ukuu.org.uk> Cc: Jiri Slaby <jirislaby@gmail.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
This commit is contained in:
parent
196b3167ef
commit
f23fc156fb
|
@ -220,8 +220,7 @@ static inline int serial_paranoia_check(struct cyclades_port *info, char *name,
|
|||
return 1;
|
||||
}
|
||||
|
||||
if ((long)info < (long)(&cy_port[0])
|
||||
|| (long)(&cy_port[NR_PORTS]) < (long)info) {
|
||||
if (info < &cy_port[0] || info >= &cy_port[NR_PORTS]) {
|
||||
printk("Warning: cyclades_port out of range for (%s) in %s\n",
|
||||
name, routine);
|
||||
return 1;
|
||||
|
@ -520,15 +519,13 @@ static irqreturn_t cd2401_tx_interrupt(int irq, void *dev_id)
|
|||
panic("TxInt on debug port!!!");
|
||||
}
|
||||
#endif
|
||||
|
||||
info = &cy_port[channel];
|
||||
|
||||
/* validate the port number (as configured and open) */
|
||||
if ((channel < 0) || (NR_PORTS <= channel)) {
|
||||
base_addr[CyIER] &= ~(CyTxMpty | CyTxRdy);
|
||||
base_addr[CyTEOIR] = CyNOTRANS;
|
||||
return IRQ_HANDLED;
|
||||
}
|
||||
info = &cy_port[channel];
|
||||
info->last_active = jiffies;
|
||||
if (info->tty == 0) {
|
||||
base_addr[CyIER] &= ~(CyTxMpty | CyTxRdy);
|
||||
|
|
Loading…
Reference in New Issue