From: Roel Kluin Date: Tue, 22 Sep 2009 00:03:54 +0000 (-0700) Subject: pcmcia: fix read buffer overflow X-Git-Tag: firefly_0821_release~12750 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=470967dc6c38696f853b7f338eb9d743c28a9e11;p=firefly-linux-kernel-4.4.55.git pcmcia: fix read buffer overflow If count > 0 and dev->rlen == dev->rpos and dev->proto == 0 then we read and write dev->rbuf[-1]; Signed-off-by: Roel Kluin Cc: Harald Welte Cc: Dominik Brodowski Cc: Greg KH Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- diff --git a/drivers/char/pcmcia/cm4000_cs.c b/drivers/char/pcmcia/cm4000_cs.c index 881934c068c8..c250a31efa53 100644 --- a/drivers/char/pcmcia/cm4000_cs.c +++ b/drivers/char/pcmcia/cm4000_cs.c @@ -1017,7 +1017,7 @@ static ssize_t cmm_read(struct file *filp, __user char *buf, size_t count, } } - if (dev->proto == 0 && count > dev->rlen - dev->rpos) { + if (dev->proto == 0 && count > dev->rlen - dev->rpos && i) { DEBUGP(4, dev, "T=0 and count > buffer\n"); dev->rbuf[i] = dev->rbuf[i - 1]; dev->rbuf[i - 1] = dev->procbyte;