redonkable
/
alistair23-linux
1
0
Fork 0
Code Releases Activity

staging: unisys: visorchannel_write() fix potential memory corruption 

This fixes the memory corruption case, if nbytes is less than offset
and sizeof(struct channel_header)

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Jes Sorensen <Jes.Sorensen@redhat.com>
Signed-off-by: Benjamin Romer <benjamin.romer@unisys.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
hifive-unleashed-5.1
Jes Sorensen 2015-06-16 09:13:33 -04:00 committed by Greg Kroah-Hartman
parent 68905a14e4
commit 56df900cb4
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
drivers/staging/unisys/visorbus/visorchannel.c
View File

@ -258,7 +258,7 @@ visorchannel_write(struct visorchannel *channel, ulong offset,
return -EIO;
if (offset < chdr_size) {
copy_size = min(chdr_size, nbytes) - offset;
copy_size = min(chdr_size - offset, nbytes);
memcpy(&channel->chan_hdr + offset, local, copy_size);
}