projects / GitHub / MotorolaMobilityLLC / kernel-slsi.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 4aa922c)
mfd: Fix off-by-one value range checking for tps65910_i2c_write
authorAxel Lin <axel.lin@gmail.com>
Mon, 16 May 2011 14:19:01 +0000 (22:19 +0800)
committerLiam Girdwood <lrg@slimlogic.co.uk>
Fri, 27 May 2011 09:49:09 +0000 (10:49 +0100)
If bytes == (TPS65910_MAX_REGISTER + 1), we have a buffer overflow when
doing memcpy(&msg[1], src, bytes).

Signed-off-by: Axel Lin <axel.lin@gmail.com>
Acked-by: Samuel Ortiz <sameo@linux.intel.com>
Signed-off-by: Liam Girdwood <lrg@slimlogic.co.uk>
drivers/mfd/tps65910.c patch | blob | blame | history

diff --git a/drivers/mfd/tps65910.c b/drivers/mfd/tps65910.c
index bf649cf6a0ae3440c756db6b1fbd790904aed418..e31824870b9fd890bd5e9ec877ee1fe60eedb4a7 100644 (file)
--- a/drivers/mfd/tps65910.c
+++ b/drivers/mfd/tps65910.c
@@ -71,7 +71,7 @@ static int tps65910_i2c_write(struct tps65910 *tps65910, u8 reg,
        u8 msg[TPS65910_MAX_REGISTER + 1];
        int ret;
 
-       if (bytes > (TPS65910_MAX_REGISTER + 1))
+       if (bytes > TPS65910_MAX_REGISTER)
                return -EINVAL;
 
        msg[0] = reg;
Motorola kernel-slsi