Commit 4bef52f3 authored by Dan Carpenter's avatar Dan Carpenter Committed by Greg Kroah-Hartman

staging: dgnc: some off by one bugs

"dgnc_NumBoards" is the number of filled out elements in the
dgnc_Board[] array.  "->nasync" and "->maxports" are the same value.
They are the number of channels in the ->channels[] array so these tests
should be ">=" instead of ">" so we avoid reading past the end of the
arrays.

I cleaned up the conditions in dgnc_mgmt_ioctl() a bit.  There was a
work around for the off by one bug in the case where there were no
boards which is no longer needed.  "channel" is unsigned so it can't be
negative.
Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent edc16d8d
...@@ -375,7 +375,7 @@ static inline void cls_parse_isr(struct dgnc_board *brd, uint port) ...@@ -375,7 +375,7 @@ static inline void cls_parse_isr(struct dgnc_board *brd, uint port)
* verified in the interrupt routine. * verified in the interrupt routine.
*/ */
if (port > brd->nasync) if (port >= brd->nasync)
return; return;
ch = brd->channels[port]; ch = brd->channels[port];
......
...@@ -179,11 +179,11 @@ long dgnc_mgmt_ioctl(struct file *file, unsigned int cmd, unsigned long arg) ...@@ -179,11 +179,11 @@ long dgnc_mgmt_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
channel = ni.channel; channel = ni.channel;
/* Verify boundaries on board */ /* Verify boundaries on board */
if ((board > dgnc_NumBoards) || (dgnc_NumBoards == 0)) if (board >= dgnc_NumBoards)
return -ENODEV; return -ENODEV;
/* Verify boundaries on channel */ /* Verify boundaries on channel */
if ((channel < 0) || (channel > dgnc_Board[board]->nasync)) if (channel >= dgnc_Board[board]->nasync)
return -ENODEV; return -ENODEV;
ch = dgnc_Board[board]->channels[channel]; ch = dgnc_Board[board]->channels[channel];
......
...@@ -391,7 +391,7 @@ static inline void neo_parse_isr(struct dgnc_board *brd, uint port) ...@@ -391,7 +391,7 @@ static inline void neo_parse_isr(struct dgnc_board *brd, uint port)
if (!brd || brd->magic != DGNC_BOARD_MAGIC) if (!brd || brd->magic != DGNC_BOARD_MAGIC)
return; return;
if (port > brd->maxports) if (port >= brd->maxports)
return; return;
ch = brd->channels[port]; ch = brd->channels[port];
...@@ -521,7 +521,7 @@ static inline void neo_parse_lsr(struct dgnc_board *brd, uint port) ...@@ -521,7 +521,7 @@ static inline void neo_parse_lsr(struct dgnc_board *brd, uint port)
if (!brd || brd->magic != DGNC_BOARD_MAGIC) if (!brd || brd->magic != DGNC_BOARD_MAGIC)
return; return;
if (port > brd->maxports) if (port >= brd->maxports)
return; return;
ch = brd->channels[port]; ch = brd->channels[port];
...@@ -1003,7 +1003,7 @@ static irqreturn_t neo_intr(int irq, void *voidbrd) ...@@ -1003,7 +1003,7 @@ static irqreturn_t neo_intr(int irq, void *voidbrd)
*/ */
/* Verify the port is in range. */ /* Verify the port is in range. */
if (port > brd->nasync) if (port >= brd->nasync)
continue; continue;
ch = brd->channels[port]; ch = brd->channels[port];
......
...@@ -1042,7 +1042,7 @@ static int dgnc_tty_open(struct tty_struct *tty, struct file *file) ...@@ -1042,7 +1042,7 @@ static int dgnc_tty_open(struct tty_struct *tty, struct file *file)
spin_lock_irqsave(&brd->bd_lock, flags); spin_lock_irqsave(&brd->bd_lock, flags);
/* If opened device is greater than our number of ports, bail. */ /* If opened device is greater than our number of ports, bail. */
if (PORT_NUM(minor) > brd->nasync) { if (PORT_NUM(minor) >= brd->nasync) {
spin_unlock_irqrestore(&brd->bd_lock, flags); spin_unlock_irqrestore(&brd->bd_lock, flags);
return -ENXIO; return -ENXIO;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment