Commit 56df900c authored by Jes Sorensen's avatar Jes Sorensen Committed by Greg Kroah-Hartman

staging: unisys: visorchannel_write() fix potential memory corruption

This fixes the memory corruption case, if nbytes is less than offset
and sizeof(struct channel_header)
Reported-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: default avatarJes Sorensen <Jes.Sorensen@redhat.com>
Signed-off-by: default avatarBenjamin Romer <benjamin.romer@unisys.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 68905a14
...@@ -258,7 +258,7 @@ visorchannel_write(struct visorchannel *channel, ulong offset, ...@@ -258,7 +258,7 @@ visorchannel_write(struct visorchannel *channel, ulong offset,
return -EIO; return -EIO;
if (offset < chdr_size) { if (offset < chdr_size) {
copy_size = min(chdr_size, nbytes) - offset; copy_size = min(chdr_size - offset, nbytes);
memcpy(&channel->chan_hdr + offset, local, copy_size); memcpy(&channel->chan_hdr + offset, local, copy_size);
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment