Home Explore Help
Sign In
GfA
/
linux_kernel
5
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

staging: unisys: visorchannel_write() fix potential memory corruption

This fixes the memory corruption case, if nbytes is less than offset
and sizeof(struct channel_header)

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Jes Sorensen <Jes.Sorensen@redhat.com>
Signed-off-by: Benjamin Romer <benjamin.romer@unisys.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Jes Sorensen 10 years ago
parent
68905a14e4
commit
56df900cb4
1 changed files with 1 additions and 1 deletions
Split View Show Diff Stats
  1. 1 1
      drivers/staging/unisys/visorbus/visorchannel.c

+ 1 - 1
drivers/staging/unisys/visorbus/visorchannel.c
View File 

@@ -258,7 +258,7 @@ visorchannel_write(struct visorchannel *channel, ulong offset,
 
 		return -EIO;
 
 
 	if (offset < chdr_size) {
 
-		copy_size = min(chdr_size, nbytes) - offset;
 
+		copy_size = min(chdr_size - offset, nbytes);
 
 		memcpy(&channel->chan_hdr + offset, local, copy_size);
 
 	}