All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] partitions/ldm: Off by one in ldm_relative()
@ 2018-10-13 10:38 ` Dan Carpenter
  0 siblings, 0 replies; 4+ messages in thread
From: Dan Carpenter @ 2018-10-13 10:38 UTC (permalink / raw)
  To: Richard Russon (FlatCap)
  Cc: Jens Axboe, linux-ntfs-dev, linux-block, kernel-janitors

The > should be >= or otherwise we could end up reading one element
beyond the end of the array.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
 block/partitions/ldm.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/block/partitions/ldm.c b/block/partitions/ldm.c
index 16766f267559..f48bcd2f5226 100644
--- a/block/partitions/ldm.c
+++ b/block/partitions/ldm.c
@@ -636,7 +636,7 @@ static int ldm_relative(const u8 *buffer, int buflen, int base, int offset)
 {
 
 	base += offset;
-	if (!buffer || offset < 0 || base > buflen) {
+	if (!buffer || offset < 0 || base >= buflen) {
 		if (!buffer)
 			ldm_error("!buffer");
 		if (offset < 0)
-- 
2.18.0

^ permalink raw reply related	[flat|nested] 4+ messages in thread
* [PATCH] partitions/ldm: Off by one in ldm_relative()
@ 2018-10-13 10:38 ` Dan Carpenter
  0 siblings, 0 replies; 4+ messages in thread
From: Dan Carpenter @ 2018-10-13 10:38 UTC (permalink / raw)
  To: Richard Russon (FlatCap)
  Cc: Jens Axboe, linux-ntfs-dev, linux-block, kernel-janitors

The > should be >= or otherwise we could end up reading one element
beyond the end of the array.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
 block/partitions/ldm.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/block/partitions/ldm.c b/block/partitions/ldm.c
index 16766f267559..f48bcd2f5226 100644
--- a/block/partitions/ldm.c
+++ b/block/partitions/ldm.c
@@ -636,7 +636,7 @@ static int ldm_relative(const u8 *buffer, int buflen, int base, int offset)
 {
 
 	base += offset;
-	if (!buffer || offset < 0 || base > buflen) {
+	if (!buffer || offset < 0 || base >= buflen) {
 		if (!buffer)
 			ldm_error("!buffer");
 		if (offset < 0)
-- 
2.18.0

^ permalink raw reply related	[flat|nested] 4+ messages in thread
* [PATCH] partitions/ldm: Off by one in ldm_relative()
@ 2018-06-20 10:44 ` Dan Carpenter
  0 siblings, 0 replies; 4+ messages in thread
From: Dan Carpenter @ 2018-06-20 10:44 UTC (permalink / raw)
  To: Richard Russon (FlatCap)
  Cc: Jens Axboe, linux-ntfs-dev, linux-block, kernel-janitors

If base == buflen then we read one character past the end of buffer[].

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
This is static analysis.  Not tested.  This code goes back to before the
start of git.

diff --git a/block/partitions/ldm.c b/block/partitions/ldm.c
index 0417937dfe99..8f4c302eb11b 100644
--- a/block/partitions/ldm.c
+++ b/block/partitions/ldm.c
@@ -636,12 +636,12 @@ static int ldm_relative(const u8 *buffer, int buflen, int base, int offset)
 {
 
 	base += offset;
-	if (!buffer || offset < 0 || base > buflen) {
+	if (!buffer || offset < 0 || base >= buflen) {
 		if (!buffer)
 			ldm_error("!buffer");
 		if (offset < 0)
 			ldm_error("offset (%d) < 0", offset);
-		if (base > buflen)
+		if (base >= buflen)
 			ldm_error("base (%d) > buflen (%d)", base, buflen);
 		return -1;
 	}

^ permalink raw reply related	[flat|nested] 4+ messages in thread
* [PATCH] partitions/ldm: Off by one in ldm_relative()
@ 2018-06-20 10:44 ` Dan Carpenter
  0 siblings, 0 replies; 4+ messages in thread
From: Dan Carpenter @ 2018-06-20 10:44 UTC (permalink / raw)
  To: Richard Russon (FlatCap)
  Cc: Jens Axboe, linux-ntfs-dev, linux-block, kernel-janitors

If base = buflen then we read one character past the end of buffer[].

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
This is static analysis.  Not tested.  This code goes back to before the
start of git.

diff --git a/block/partitions/ldm.c b/block/partitions/ldm.c
index 0417937dfe99..8f4c302eb11b 100644
--- a/block/partitions/ldm.c
+++ b/block/partitions/ldm.c
@@ -636,12 +636,12 @@ static int ldm_relative(const u8 *buffer, int buflen, int base, int offset)
 {
 
 	base += offset;
-	if (!buffer || offset < 0 || base > buflen) {
+	if (!buffer || offset < 0 || base >= buflen) {
 		if (!buffer)
 			ldm_error("!buffer");
 		if (offset < 0)
 			ldm_error("offset (%d) < 0", offset);
-		if (base > buflen)
+		if (base >= buflen)
 			ldm_error("base (%d) > buflen (%d)", base, buflen);
 		return -1;
 	}

^ permalink raw reply related	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2018-10-13 10:38 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-10-13 10:38 [PATCH] partitions/ldm: Off by one in ldm_relative() Dan Carpenter
2018-10-13 10:38 ` Dan Carpenter
  -- strict thread matches above, loose matches on Subject: below --
2018-06-20 10:44 Dan Carpenter
2018-06-20 10:44 ` Dan Carpenter

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.