* [patch 1/2] staging: dgnc: some off by one bugs
@ 2015-03-12 17:07 Dan Carpenter
2015-03-12 17:19 ` Dan Carpenter
2015-03-12 17:24 ` [patch 1/2 v2] " Dan Carpenter
0 siblings, 2 replies; 3+ messages in thread
From: Dan Carpenter @ 2015-03-12 17:07 UTC (permalink / raw)
To: Lidza Louina
Cc: Mark Hounschell, Greg Kroah-Hartman, driverdev-devel,
linux-serial, kernel-janitors
"dgnc_NumBoards" is the number of filled out elements in the
dgnc_Board[] array. "->nasync" and "->maxports" are the value. They
are the number of channels in the ->channels[] array so these tests
should be ">=" instead of ">" so we avoid reading past the end of the
arrays.
I cleaned up the conditions in dgnc_mgmt_ioctl() a bit. There was a
work around for the off by one bug in the case where there were no
boards which is no longer needed. "channel" is unsigned so it can't be
negative.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
diff --git a/drivers/staging/dgnc/dgnc_cls.c b/drivers/staging/dgnc/dgnc_cls.c
index bedc522..0d8f154 100644
--- a/drivers/staging/dgnc/dgnc_cls.c
+++ b/drivers/staging/dgnc/dgnc_cls.c
@@ -406,7 +406,7 @@ static inline void cls_parse_isr(struct dgnc_board *brd, uint port)
* verified in the interrupt routine.
*/
- if (port > brd->nasync)
+ if (port >= brd->nasync)
return;
ch = brd->channels[port];
diff --git a/drivers/staging/dgnc/dgnc_mgmt.c b/drivers/staging/dgnc/dgnc_mgmt.c
index 5544a8e..01b290e 100644
--- a/drivers/staging/dgnc/dgnc_mgmt.c
+++ b/drivers/staging/dgnc/dgnc_mgmt.c
@@ -196,11 +196,11 @@ long dgnc_mgmt_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
channel = ni.channel;
/* Verify boundaries on board */
- if ((board > dgnc_NumBoards) || (dgnc_NumBoards == 0))
+ if (board >= dgnc_NumBoards)
return -ENODEV;
/* Verify boundaries on channel */
- if ((channel < 0) || (channel > dgnc_Board[board]->nasync))
+ if (channel >= dgnc_Board[board]->nasync)
return -ENODEV;
ch = dgnc_Board[board]->channels[channel];
diff --git a/drivers/staging/dgnc/dgnc_neo.c b/drivers/staging/dgnc/dgnc_neo.c
index 1268aa9..921e463 100644
--- a/drivers/staging/dgnc/dgnc_neo.c
+++ b/drivers/staging/dgnc/dgnc_neo.c
@@ -407,7 +407,7 @@ static inline void neo_parse_isr(struct dgnc_board *brd, uint port)
if (!brd || brd->magic != DGNC_BOARD_MAGIC)
return;
- if (port > brd->maxports)
+ if (port >= brd->maxports)
return;
ch = brd->channels[port];
@@ -537,7 +537,7 @@ static inline void neo_parse_lsr(struct dgnc_board *brd, uint port)
if (!brd || brd->magic != DGNC_BOARD_MAGIC)
return;
- if (port > brd->maxports)
+ if (port >= brd->maxports)
return;
ch = brd->channels[port];
@@ -1019,7 +1019,7 @@ static irqreturn_t neo_intr(int irq, void *voidbrd)
*/
/* Verify the port is in range. */
- if (port > brd->nasync)
+ if (port >= brd->nasync)
continue;
ch = brd->channels[port];
diff --git a/drivers/staging/dgnc/dgnc_tty.c b/drivers/staging/dgnc/dgnc_tty.c
index 8179342..4507d4a 100644
--- a/drivers/staging/dgnc/dgnc_tty.c
+++ b/drivers/staging/dgnc/dgnc_tty.c
@@ -1060,7 +1060,7 @@ static int dgnc_tty_open(struct tty_struct *tty, struct file *file)
spin_lock_irqsave(&brd->bd_lock, flags);
/* If opened device is greater than our number of ports, bail. */
- if (PORT_NUM(minor) > brd->nasync) {
+ if (PORT_NUM(minor) >= brd->nasync) {
spin_unlock_irqrestore(&brd->bd_lock, flags);
return -ENXIO;
}
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [patch 1/2] staging: dgnc: some off by one bugs
2015-03-12 17:07 [patch 1/2] staging: dgnc: some off by one bugs Dan Carpenter
@ 2015-03-12 17:19 ` Dan Carpenter
2015-03-12 17:24 ` [patch 1/2 v2] " Dan Carpenter
1 sibling, 0 replies; 3+ messages in thread
From: Dan Carpenter @ 2015-03-12 17:19 UTC (permalink / raw)
To: Lidza Louina
Cc: Greg Kroah-Hartman, driverdev-devel, kernel-janitors,
linux-serial
On Thu, Mar 12, 2015 at 08:07:39PM +0300, Dan Carpenter wrote:
> "dgnc_NumBoards" is the number of filled out elements in the
> dgnc_Board[] array. "->nasync" and "->maxports" are the value.
I meant "the *same* value". I'll resend.
regards,
dan carpenter
^ permalink raw reply [flat|nested] 3+ messages in thread
* [patch 1/2 v2] staging: dgnc: some off by one bugs
2015-03-12 17:07 [patch 1/2] staging: dgnc: some off by one bugs Dan Carpenter
2015-03-12 17:19 ` Dan Carpenter
@ 2015-03-12 17:24 ` Dan Carpenter
1 sibling, 0 replies; 3+ messages in thread
From: Dan Carpenter @ 2015-03-12 17:24 UTC (permalink / raw)
To: Lidza Louina
Cc: Greg Kroah-Hartman, driverdev-devel, kernel-janitors,
linux-serial
"dgnc_NumBoards" is the number of filled out elements in the
dgnc_Board[] array. "->nasync" and "->maxports" are the same value.
They are the number of channels in the ->channels[] array so these tests
should be ">=" instead of ">" so we avoid reading past the end of the
arrays.
I cleaned up the conditions in dgnc_mgmt_ioctl() a bit. There was a
work around for the off by one bug in the case where there were no
boards which is no longer needed. "channel" is unsigned so it can't be
negative.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
v2: fix changelog
diff --git a/drivers/staging/dgnc/dgnc_cls.c b/drivers/staging/dgnc/dgnc_cls.c
index bedc522..0d8f154 100644
--- a/drivers/staging/dgnc/dgnc_cls.c
+++ b/drivers/staging/dgnc/dgnc_cls.c
@@ -406,7 +406,7 @@ static inline void cls_parse_isr(struct dgnc_board *brd, uint port)
* verified in the interrupt routine.
*/
- if (port > brd->nasync)
+ if (port >= brd->nasync)
return;
ch = brd->channels[port];
diff --git a/drivers/staging/dgnc/dgnc_mgmt.c b/drivers/staging/dgnc/dgnc_mgmt.c
index 5544a8e..01b290e 100644
--- a/drivers/staging/dgnc/dgnc_mgmt.c
+++ b/drivers/staging/dgnc/dgnc_mgmt.c
@@ -196,11 +196,11 @@ long dgnc_mgmt_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
channel = ni.channel;
/* Verify boundaries on board */
- if ((board > dgnc_NumBoards) || (dgnc_NumBoards == 0))
+ if (board >= dgnc_NumBoards)
return -ENODEV;
/* Verify boundaries on channel */
- if ((channel < 0) || (channel > dgnc_Board[board]->nasync))
+ if (channel >= dgnc_Board[board]->nasync)
return -ENODEV;
ch = dgnc_Board[board]->channels[channel];
diff --git a/drivers/staging/dgnc/dgnc_neo.c b/drivers/staging/dgnc/dgnc_neo.c
index 1268aa9..921e463 100644
--- a/drivers/staging/dgnc/dgnc_neo.c
+++ b/drivers/staging/dgnc/dgnc_neo.c
@@ -407,7 +407,7 @@ static inline void neo_parse_isr(struct dgnc_board *brd, uint port)
if (!brd || brd->magic != DGNC_BOARD_MAGIC)
return;
- if (port > brd->maxports)
+ if (port >= brd->maxports)
return;
ch = brd->channels[port];
@@ -537,7 +537,7 @@ static inline void neo_parse_lsr(struct dgnc_board *brd, uint port)
if (!brd || brd->magic != DGNC_BOARD_MAGIC)
return;
- if (port > brd->maxports)
+ if (port >= brd->maxports)
return;
ch = brd->channels[port];
@@ -1019,7 +1019,7 @@ static irqreturn_t neo_intr(int irq, void *voidbrd)
*/
/* Verify the port is in range. */
- if (port > brd->nasync)
+ if (port >= brd->nasync)
continue;
ch = brd->channels[port];
diff --git a/drivers/staging/dgnc/dgnc_tty.c b/drivers/staging/dgnc/dgnc_tty.c
index 8179342..4507d4a 100644
--- a/drivers/staging/dgnc/dgnc_tty.c
+++ b/drivers/staging/dgnc/dgnc_tty.c
@@ -1060,7 +1060,7 @@ static int dgnc_tty_open(struct tty_struct *tty, struct file *file)
spin_lock_irqsave(&brd->bd_lock, flags);
/* If opened device is greater than our number of ports, bail. */
- if (PORT_NUM(minor) > brd->nasync) {
+ if (PORT_NUM(minor) >= brd->nasync) {
spin_unlock_irqrestore(&brd->bd_lock, flags);
return -ENXIO;
}
^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2015-03-12 17:24 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-03-12 17:07 [patch 1/2] staging: dgnc: some off by one bugs Dan Carpenter
2015-03-12 17:19 ` Dan Carpenter
2015-03-12 17:24 ` [patch 1/2 v2] " Dan Carpenter
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).