From cb1185a4ae29367d00b0ae19413d64303c8c0e51 Mon Sep 17 00:00:00 2001 From: Dan Carpenter Date: Tue, 10 Mar 2015 10:39:42 +0300 Subject: [PATCH] staging: dgnc: off by one in dgnc_mgmt_ioctl() "dgnc_NumBoards" is the number of initialized elements in the dgnc_Board[] array so the comparison should be ">=" instead of ">" so we don't read invalid data. We can remove the special handling of the empty array now that we've fixed this bug. Signed-off-by: Dan Carpenter Signed-off-by: Greg Kroah-Hartman --- drivers/staging/dgnc/dgnc_mgmt.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/drivers/staging/dgnc/dgnc_mgmt.c b/drivers/staging/dgnc/dgnc_mgmt.c index 5544a8e7f4bc..b89bd59d8da8 100644 --- a/drivers/staging/dgnc/dgnc_mgmt.c +++ b/drivers/staging/dgnc/dgnc_mgmt.c @@ -153,8 +153,7 @@ long dgnc_mgmt_ioctl(struct file *file, unsigned int cmd, unsigned long arg) if (copy_from_user(&brd, uarg, sizeof(int))) return -EFAULT; - if ((brd < 0) || (brd > dgnc_NumBoards) || - (dgnc_NumBoards == 0)) + if (brd < 0 || brd >= dgnc_NumBoards) return -ENODEV; memset(&di, 0, sizeof(di)); -- 2.20.1