From 4bef52f377b6410a89fc580a8948033f613854f8 Mon Sep 17 00:00:00 2001 From: Dan Carpenter Date: Thu, 12 Mar 2015 20:24:31 +0300 Subject: [PATCH] staging: dgnc: some off by one bugs "dgnc_NumBoards" is the number of filled out elements in the dgnc_Board[] array. "->nasync" and "->maxports" are the same value. They are the number of channels in the ->channels[] array so these tests should be ">=" instead of ">" so we avoid reading past the end of the arrays. I cleaned up the conditions in dgnc_mgmt_ioctl() a bit. There was a work around for the off by one bug in the case where there were no boards which is no longer needed. "channel" is unsigned so it can't be negative. Signed-off-by: Dan Carpenter Signed-off-by: Greg Kroah-Hartman --- drivers/staging/dgnc/dgnc_cls.c | 2 +- drivers/staging/dgnc/dgnc_mgmt.c | 4 ++-- drivers/staging/dgnc/dgnc_neo.c | 6 +++--- drivers/staging/dgnc/dgnc_tty.c | 2 +- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/drivers/staging/dgnc/dgnc_cls.c b/drivers/staging/dgnc/dgnc_cls.c index 66397d66ee0e..e3564d278d91 100644 --- a/drivers/staging/dgnc/dgnc_cls.c +++ b/drivers/staging/dgnc/dgnc_cls.c @@ -375,7 +375,7 @@ static inline void cls_parse_isr(struct dgnc_board *brd, uint port) * verified in the interrupt routine. */ - if (port > brd->nasync) + if (port >= brd->nasync) return; ch = brd->channels[port]; diff --git a/drivers/staging/dgnc/dgnc_mgmt.c b/drivers/staging/dgnc/dgnc_mgmt.c index 57814061f6db..34b6efd90e82 100644 --- a/drivers/staging/dgnc/dgnc_mgmt.c +++ b/drivers/staging/dgnc/dgnc_mgmt.c @@ -179,11 +179,11 @@ long dgnc_mgmt_ioctl(struct file *file, unsigned int cmd, unsigned long arg) channel = ni.channel; /* Verify boundaries on board */ - if ((board > dgnc_NumBoards) || (dgnc_NumBoards == 0)) + if (board >= dgnc_NumBoards) return -ENODEV; /* Verify boundaries on channel */ - if ((channel < 0) || (channel > dgnc_Board[board]->nasync)) + if (channel >= dgnc_Board[board]->nasync) return -ENODEV; ch = dgnc_Board[board]->channels[channel]; diff --git a/drivers/staging/dgnc/dgnc_neo.c b/drivers/staging/dgnc/dgnc_neo.c index 41105be24229..f5a4d365115f 100644 --- a/drivers/staging/dgnc/dgnc_neo.c +++ b/drivers/staging/dgnc/dgnc_neo.c @@ -391,7 +391,7 @@ static inline void neo_parse_isr(struct dgnc_board *brd, uint port) if (!brd || brd->magic != DGNC_BOARD_MAGIC) return; - if (port > brd->maxports) + if (port >= brd->maxports) return; ch = brd->channels[port]; @@ -521,7 +521,7 @@ static inline void neo_parse_lsr(struct dgnc_board *brd, uint port) if (!brd || brd->magic != DGNC_BOARD_MAGIC) return; - if (port > brd->maxports) + if (port >= brd->maxports) return; ch = brd->channels[port]; @@ -1003,7 +1003,7 @@ static irqreturn_t neo_intr(int irq, void *voidbrd) */ /* Verify the port is in range. */ - if (port > brd->nasync) + if (port >= brd->nasync) continue; ch = brd->channels[port]; diff --git a/drivers/staging/dgnc/dgnc_tty.c b/drivers/staging/dgnc/dgnc_tty.c index f1c4d07a0aaa..5b8d7b552d8a 100644 --- a/drivers/staging/dgnc/dgnc_tty.c +++ b/drivers/staging/dgnc/dgnc_tty.c @@ -1042,7 +1042,7 @@ static int dgnc_tty_open(struct tty_struct *tty, struct file *file) spin_lock_irqsave(&brd->bd_lock, flags); /* If opened device is greater than our number of ports, bail. */ - if (PORT_NUM(minor) > brd->nasync) { + if (PORT_NUM(minor) >= brd->nasync) { spin_unlock_irqrestore(&brd->bd_lock, flags); return -ENXIO; } -- 2.30.2