From: Yu Kuai <yukuai3@huawei.com>
To: <laforge@gnumonks.org>, <arnd@arndb.de>,
<gregkh@linuxfoundation.org>, <akpm@osdl.org>
Cc: <linux-kernel@vger.kernel.org>, <yukuai3@huawei.com>,
<yi.zhang@huawei.com>
Subject: [PATCH] char: pcmcia: fix possible array index out of bounds in set_protocol()
Date: Fri, 21 May 2021 18:07:05 +0800 [thread overview]
Message-ID: <20210521100705.28234-1-yukuai3@huawei.com> (raw)
The length of array 'pts_reply' is 4, and the loop in set_protocol()
will access array element from 0 to num_bytes_read - 1. Thus if
io_read_num_rec_bytes() gets 'num_bytes_read' more than 4, it will
cause index out of bounds errors.
Fixes: c1986ee9bea3 ("[PATCH] New Omnikey Cardman 4000 driver")
Signed-off-by: Yu Kuai <yukuai3@huawei.com>
---
drivers/char/pcmcia/cm4000_cs.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/drivers/char/pcmcia/cm4000_cs.c b/drivers/char/pcmcia/cm4000_cs.c
index 89681f07bc78..86b7c8e44198 100644
--- a/drivers/char/pcmcia/cm4000_cs.c
+++ b/drivers/char/pcmcia/cm4000_cs.c
@@ -564,16 +564,15 @@ static int set_protocol(struct cm4000_dev *dev, struct ptsreq *ptsreq)
/* Read PPS reply */
DEBUGP(5, dev, "Read PPS reply\n");
- for (i = 0; i < num_bytes_read; i++) {
+ for (i = 0; i < 4; i++) {
xoutb(i, REG_BUF_ADDR(iobase));
pts_reply[i] = inb(REG_BUF_DATA(iobase));
}
#ifdef CM4000_DEBUG
DEBUGP(2, dev, "PTSreply: ");
- for (i = 0; i < num_bytes_read; i++) {
+ for (i = 0; i < 4; i++)
pr_debug("0x%.2x ", pts_reply[i]);
- }
pr_debug("\n");
#endif /* CM4000_DEBUG */
--
2.25.4
next reply other threads:[~2021-05-21 9:59 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-21 10:07 Yu Kuai [this message]
2021-05-21 10:59 ` [PATCH] char: pcmcia: fix possible array index out of bounds in set_protocol() Greg KH
2021-05-21 11:34 ` yukuai (C)
2021-05-21 11:42 ` Greg KH
2021-05-21 12:06 ` [PATCH V2] char: pcmcia: error out if 'num_bytes_read' is greater than 4 " Yu Kuai
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210521100705.28234-1-yukuai3@huawei.com \
--to=yukuai3@huawei.com \
--cc=akpm@osdl.org \
--cc=arnd@arndb.de \
--cc=gregkh@linuxfoundation.org \
--cc=laforge@gnumonks.org \
--cc=linux-kernel@vger.kernel.org \
--cc=yi.zhang@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.