From: Dan Carpenter Date: Tue, 10 Mar 2015 07:39:42 +0000 (+0300) Subject: staging: dgnc: off by one in dgnc_mgmt_ioctl() X-Git-Tag: firefly_0821_release~176^2~1998^2~138^2~478 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=cb1185a4ae29367d00b0ae19413d64303c8c0e51;p=firefly-linux-kernel-4.4.55.git staging: dgnc: off by one in dgnc_mgmt_ioctl() "dgnc_NumBoards" is the number of initialized elements in the dgnc_Board[] array so the comparison should be ">=" instead of ">" so we don't read invalid data. We can remove the special handling of the empty array now that we've fixed this bug. Signed-off-by: Dan Carpenter Signed-off-by: Greg Kroah-Hartman --- diff --git a/drivers/staging/dgnc/dgnc_mgmt.c b/drivers/staging/dgnc/dgnc_mgmt.c index 5544a8e7f4bc..b89bd59d8da8 100644 --- a/drivers/staging/dgnc/dgnc_mgmt.c +++ b/drivers/staging/dgnc/dgnc_mgmt.c @@ -153,8 +153,7 @@ long dgnc_mgmt_ioctl(struct file *file, unsigned int cmd, unsigned long arg) if (copy_from_user(&brd, uarg, sizeof(int))) return -EFAULT; - if ((brd < 0) || (brd > dgnc_NumBoards) || - (dgnc_NumBoards == 0)) + if (brd < 0 || brd >= dgnc_NumBoards) return -ENODEV; memset(&di, 0, sizeof(di));