[PATCH] pcmcia: Read buffer overflow
Roel Kluin
roel.kluin at gmail.com
Fri Aug 7 16:34:57 EDT 2009
if count > 0 and dev->rlen == dev->rpos and dev->proto == 0
then we read and write dev->rbuf[-1];
Signed-off-by: Roel Kluin <roel.kluin at gmail.com>
---
Unless I am mistaken, so please review
diff --git a/drivers/char/pcmcia/cm4000_cs.c b/drivers/char/pcmcia/cm4000_cs.c
index 881934c..c250a31 100644
--- a/drivers/char/pcmcia/cm4000_cs.c
+++ b/drivers/char/pcmcia/cm4000_cs.c
@@ -1017,7 +1017,7 @@ static ssize_t cmm_read(struct file *filp, __user char *buf, size_t count,
}
}
- if (dev->proto == 0 && count > dev->rlen - dev->rpos) {
+ if (dev->proto == 0 && count > dev->rlen - dev->rpos && i) {
DEBUGP(4, dev, "T=0 and count > buffer\n");
dev->rbuf[i] = dev->rbuf[i - 1];
dev->rbuf[i - 1] = dev->procbyte;
More information about the linux-pcmcia
mailing list