From: Dan Carpenter <dan.carpenter@oracle.com>
To: Thadeu Lima de Souza Cascardo <cascardo@linux.vnet.ibm.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Jiri Slaby <jslaby@suse.cz>,
linux-serial@vger.kernel.org, kernel-janitors@vger.kernel.org
Subject: [patch 2/2 v2] serial: jsm: some off by one bugs
Date: Tue, 17 Mar 2015 09:17:28 +0000 [thread overview]
Message-ID: <20150317091728.GA19685@mwanda> (raw)
In-Reply-To: <20150316174743.GB6037@oc0812247204.ltc.br.ibm.com>
"brd->nasync" amd "brd->maxports" are the same. They hold the number of
filled out channels in the brd->channels[] array. These tests should
be ">=" instead of ">" so that we don't read one element past the end.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
v2: Thadeu Cascardo noticed another off by one that I missed.
diff --git a/drivers/tty/serial/jsm/jsm_cls.c b/drivers/tty/serial/jsm/jsm_cls.c
index bfb0681..4eb12a9 100644
--- a/drivers/tty/serial/jsm/jsm_cls.c
+++ b/drivers/tty/serial/jsm/jsm_cls.c
@@ -570,7 +570,7 @@ static inline void cls_parse_isr(struct jsm_board *brd, uint port)
* verified in the interrupt routine.
*/
- if (port > brd->nasync)
+ if (port >= brd->nasync)
return;
ch = brd->channels[port];
diff --git a/drivers/tty/serial/jsm/jsm_neo.c b/drivers/tty/serial/jsm/jsm_neo.c
index 7291c21..932b2ac 100644
--- a/drivers/tty/serial/jsm/jsm_neo.c
+++ b/drivers/tty/serial/jsm/jsm_neo.c
@@ -724,7 +724,7 @@ static inline void neo_parse_isr(struct jsm_board *brd, u32 port)
if (!brd)
return;
- if (port > brd->maxports)
+ if (port >= brd->maxports)
return;
ch = brd->channels[port];
@@ -840,7 +840,7 @@ static inline void neo_parse_lsr(struct jsm_board *brd, u32 port)
if (!brd)
return;
- if (port > brd->maxports)
+ if (port >= brd->maxports)
return;
ch = brd->channels[port];
@@ -1180,7 +1180,7 @@ static irqreturn_t neo_intr(int irq, void *voidbrd)
*/
/* Verify the port is in range. */
- if (port > brd->nasync)
+ if (port >= brd->nasync)
continue;
ch = brd->channels[port];
WARNING: multiple messages have this Message-ID (diff)
From: Dan Carpenter <dan.carpenter@oracle.com>
To: Thadeu Lima de Souza Cascardo <cascardo@linux.vnet.ibm.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Jiri Slaby <jslaby@suse.cz>,
linux-serial@vger.kernel.org, kernel-janitors@vger.kernel.org
Subject: [patch 2/2 v2] serial: jsm: some off by one bugs
Date: Tue, 17 Mar 2015 12:17:28 +0300 [thread overview]
Message-ID: <20150317091728.GA19685@mwanda> (raw)
In-Reply-To: <20150316174743.GB6037@oc0812247204.ltc.br.ibm.com>
"brd->nasync" amd "brd->maxports" are the same. They hold the number of
filled out channels in the brd->channels[] array. These tests should
be ">=" instead of ">" so that we don't read one element past the end.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
v2: Thadeu Cascardo noticed another off by one that I missed.
diff --git a/drivers/tty/serial/jsm/jsm_cls.c b/drivers/tty/serial/jsm/jsm_cls.c
index bfb0681..4eb12a9 100644
--- a/drivers/tty/serial/jsm/jsm_cls.c
+++ b/drivers/tty/serial/jsm/jsm_cls.c
@@ -570,7 +570,7 @@ static inline void cls_parse_isr(struct jsm_board *brd, uint port)
* verified in the interrupt routine.
*/
- if (port > brd->nasync)
+ if (port >= brd->nasync)
return;
ch = brd->channels[port];
diff --git a/drivers/tty/serial/jsm/jsm_neo.c b/drivers/tty/serial/jsm/jsm_neo.c
index 7291c21..932b2ac 100644
--- a/drivers/tty/serial/jsm/jsm_neo.c
+++ b/drivers/tty/serial/jsm/jsm_neo.c
@@ -724,7 +724,7 @@ static inline void neo_parse_isr(struct jsm_board *brd, u32 port)
if (!brd)
return;
- if (port > brd->maxports)
+ if (port >= brd->maxports)
return;
ch = brd->channels[port];
@@ -840,7 +840,7 @@ static inline void neo_parse_lsr(struct jsm_board *brd, u32 port)
if (!brd)
return;
- if (port > brd->maxports)
+ if (port >= brd->maxports)
return;
ch = brd->channels[port];
@@ -1180,7 +1180,7 @@ static irqreturn_t neo_intr(int irq, void *voidbrd)
*/
/* Verify the port is in range. */
- if (port > brd->nasync)
+ if (port >= brd->nasync)
continue;
ch = brd->channels[port];
next prev parent reply other threads:[~2015-03-17 9:17 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-03-12 17:08 [patch 2/2] serial: jsm: some off by one bugs Dan Carpenter
2015-03-12 17:08 ` Dan Carpenter
2015-03-16 17:47 ` cascardo
2015-03-16 17:47 ` cascardo
2015-03-16 18:38 ` Dan Carpenter
2015-03-16 18:38 ` Dan Carpenter
2015-03-17 9:17 ` Dan Carpenter [this message]
2015-03-17 9:17 ` [patch 2/2 v2] " Dan Carpenter
2015-03-17 13:20 ` cascardo
2015-03-17 13:20 ` cascardo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150317091728.GA19685@mwanda \
--to=dan.carpenter@oracle.com \
--cc=cascardo@linux.vnet.ibm.com \
--cc=gregkh@linuxfoundation.org \
--cc=jslaby@suse.cz \
--cc=kernel-janitors@vger.kernel.org \
--cc=linux-serial@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.