From: Roel Kluin Date: Tue, 22 Sep 2009 23:45:54 +0000 (-0700) Subject: ncpfs: read buffer overflow X-Git-Tag: firefly_0821_release~12578 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=c5df59136a55fe08c21d39321679cbb008479edf;p=firefly-linux-kernel-4.4.55.git ncpfs: read buffer overflow This function uses signed integers for the unix_date and local variables - if a negative number is supplied and the leap-year condition is not met, month will be 0, leading to a later read of day_n[-1] Signed-off-by: Roel Kluin Cc: Petr Vandrovec Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- diff --git a/fs/ncpfs/dir.c b/fs/ncpfs/dir.c index 9c590722d87e..b8b5b30d53f0 100644 --- a/fs/ncpfs/dir.c +++ b/fs/ncpfs/dir.c @@ -1241,7 +1241,7 @@ ncp_date_unix2dos(int unix_date, __le16 *time, __le16 *date) month = 2; } else { nl_day = (year & 3) || day <= 59 ? day : day - 1; - for (month = 0; month < 12; month++) + for (month = 1; month < 12; month++) if (day_n[month] > nl_day) break; }