[PATCH] partitions/ldm: Off by one in ldm_relative()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



If base == buflen then we read one character past the end of buffer[].

Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
---
This is static analysis.  Not tested.  This code goes back to before the
start of git.

diff --git a/block/partitions/ldm.c b/block/partitions/ldm.c
index 0417937dfe99..8f4c302eb11b 100644
--- a/block/partitions/ldm.c
+++ b/block/partitions/ldm.c
@@ -636,12 +636,12 @@ static int ldm_relative(const u8 *buffer, int buflen, int base, int offset)
 {
 
 	base += offset;
-	if (!buffer || offset < 0 || base > buflen) {
+	if (!buffer || offset < 0 || base >= buflen) {
 		if (!buffer)
 			ldm_error("!buffer");
 		if (offset < 0)
 			ldm_error("offset (%d) < 0", offset);
-		if (base > buflen)
+		if (base >= buflen)
 			ldm_error("base (%d) > buflen (%d)", base, buflen);
 		return -1;
 	}
--
To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Kernel Development]     [Kernel Announce]     [Kernel Newbies]     [Linux Networking Development]     [Share Photos]     [IDE]     [Security]     [Git]     [Netfilter]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Device Mapper]

  Powered by Linux