From 470967dc6c38696f853b7f338eb9d743c28a9e11 Mon Sep 17 00:00:00 2001 From: Roel Kluin Date: Mon, 21 Sep 2009 17:03:54 -0700 Subject: [PATCH] pcmcia: fix read buffer overflow If count > 0 and dev->rlen == dev->rpos and dev->proto == 0 then we read and write dev->rbuf[-1]; Signed-off-by: Roel Kluin Cc: Harald Welte Cc: Dominik Brodowski Cc: Greg KH Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- drivers/char/pcmcia/cm4000_cs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/char/pcmcia/cm4000_cs.c b/drivers/char/pcmcia/cm4000_cs.c index 881934c068c8..c250a31efa53 100644 --- a/drivers/char/pcmcia/cm4000_cs.c +++ b/drivers/char/pcmcia/cm4000_cs.c @@ -1017,7 +1017,7 @@ static ssize_t cmm_read(struct file *filp, __user char *buf, size_t count, } } - if (dev->proto == 0 && count > dev->rlen - dev->rpos) { + if (dev->proto == 0 && count > dev->rlen - dev->rpos && i) { DEBUGP(4, dev, "T=0 and count > buffer\n"); dev->rbuf[i] = dev->rbuf[i - 1]; dev->rbuf[i - 1] = dev->procbyte; -- 2.20.1