From: Axel Lin Date: Fri, 24 Jun 2011 07:34:16 +0000 (+0800) Subject: mfd: Fix off-by-one value range checking for tps65912_i2c_write X-Git-Tag: firefly_0821_release~3680^2~4792^2~14 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=63c8a58d226a0701272b54015a8d73643d72cd3d;p=firefly-linux-kernel-4.4.55.git mfd: Fix off-by-one value range checking for tps65912_i2c_write If bytes == (TPS6591X_MAX_REGISTER + 1), we have a buffer overflow when doing memcpy(&msg[1], src, bytes). Signed-off-by: Axel Lin Signed-off-by: Samuel Ortiz --- diff --git a/drivers/mfd/tps65912-i2c.c b/drivers/mfd/tps65912-i2c.c index 9ed123aa6624..c041f2c3d2bd 100644 --- a/drivers/mfd/tps65912-i2c.c +++ b/drivers/mfd/tps65912-i2c.c @@ -57,7 +57,7 @@ static int tps65912_i2c_write(struct tps65912 *tps65912, u8 reg, u8 msg[TPS6591X_MAX_REGISTER + 1]; int ret; - if (bytes > (TPS6591X_MAX_REGISTER + 1)) + if (bytes > TPS6591X_MAX_REGISTER) return -EINVAL; msg[0] = reg;