From: Jes Sorensen <Jes.Sorensen@xxxxxxxxxx>
This fixes the memory corruption case, if nbytes is less than offset
and sizeof(struct channel_header)
Reported-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Signed-off-by: Jes Sorensen <Jes.Sorensen@xxxxxxxxxx>
Signed-off-by: Benjamin Romer <benjamin.romer@xxxxxxxxxx>
---
drivers/staging/unisys/visorbus/visorchannel.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/staging/unisys/visorbus/visorchannel.c b/drivers/staging/unisys/visorbus/visorchannel.c
index b1155ab..20b6349 100644
--- a/drivers/staging/unisys/visorbus/visorchannel.c
+++ b/drivers/staging/unisys/visorbus/visorchannel.c
@@ -258,7 +258,7 @@ visorchannel_write(struct visorchannel *channel, ulong offset,
return -EIO;
if (offset < chdr_size) {
- copy_size = min(chdr_size, nbytes) - offset;
+ copy_size = min(chdr_size - offset, nbytes);
memcpy(&channel->chan_hdr + offset, local, copy_size);
}
--
2.1.4
_______________________________________________
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxx
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
