tty: max310x: fix off-by-one buffer access when storing overrun

A recent change split the insertion loop into two parts. The first part accessed bytes 0, 1, ... (rxlen - 2), and the second part by mistake took offset `rxlen` instead of the correct `rxlen - 1`. So one byte was not stored, and the final access wrote past the end of the rx_buf. Fixes: 9c12d739d6 (tty: max310x: Split uart characters insertion loop) Signed-off-by: Jan Kundrát <jan.kundrat@cesnet.cz> Reviewed-by: Serge Semin <fancer.lancer@gmail.com> Link: https://lore.kernel.org/r/13ea227620aaad8a7231d42ed03a8508297d4eb3.1567027079.git.jan.kundrat@cesnet.cz Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-08-28 19:56:26 +02:00 · 2019-08-28 19:56:26 +02:00 · 8016c3da0c
parent 06e9b2fe7f
commit 8016c3da0c
1 changed files with 1 additions and 1 deletions
--- a/drivers/tty/serial/max310x.c
+++ b/drivers/tty/serial/max310x.c
@ -689,7 +689,7 @@ static void max310x_handle_rx(struct uart_port *port, unsigned int rxlen)
 		 * tail.
 		 */
 		uart_insert_char(port, sts, MAX310X_LSR_RXOVR_BIT,
-				 one->rx_buf[rxlen], flag);
+				 one->rx_buf[rxlen-1], flag);

 	} else {
 		if (unlikely(rxlen >= port->fifosize)) {