On Tue, May 05, 2015 at 06:36:56PM -0400, Benjamin Romer wrote:
> From: Jes Sorensen <Jes.Sorensen@xxxxxxxxxx>
>
> Signed-off-by: Jes Sorensen <Jes.Sorensen@xxxxxxxxxx>
> Signed-off-by: Benjamin Romer <benjamin.romer@xxxxxxxxxx>
> ---
> drivers/staging/unisys/visorbus/visorchannel.c | 9 ++++++---
> 1 file changed, 6 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/staging/unisys/visorbus/visorchannel.c b/drivers/staging/unisys/visorbus/visorchannel.c
> index cae62fed..da7bd9c 100644
> --- a/drivers/staging/unisys/visorbus/visorchannel.c
> +++ b/drivers/staging/unisys/visorbus/visorchannel.c
> @@ -213,13 +213,16 @@ int
> visorchannel_write(struct visorchannel *channel, ulong offset,
> void *local, ulong nbytes)
> {
> - size_t size = sizeof(struct channel_header);
> + size_t chdr_size = sizeof(struct channel_header);
> + size_t copy_size;
>
> if (offset + nbytes > channel->memregion.nbytes)
> return -EIO;
>
> - if (!offset && nbytes >= size)
> - memcpy(&channel->chan_hdr, local, size);
> + if (offset < chdr_size) {
> + copy_size = min(chdr_size, nbytes) - offset;
> + memcpy(&channel->chan_hdr + offset, local, copy_size);
You get memory corrution if nbytes is less than offset and chdr_size.
My reading was that in the original code this memcpy() was dead code but
I could have been wrong.
regards,
dan carpenter
_______________________________________________
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxx
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
