From 8016c3da0cc263f257e802fae36482eaad2d04fa Mon Sep 17 00:00:00 2001 From: Jan Kundrát Date: Wed, 28 Aug 2019 19:56:26 +0200 Subject: tty: max310x: fix off-by-one buffer access when storing overrun MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit A recent change split the insertion loop into two parts. The first part accessed bytes 0, 1, ... (rxlen - 2), and the second part by mistake took offset `rxlen` instead of the correct `rxlen - 1`. So one byte was not stored, and the final access wrote past the end of the rx_buf. Fixes: 9c12d739d69b (tty: max310x: Split uart characters insertion loop) Signed-off-by: Jan Kundrát Reviewed-by: Serge Semin Link: https://lore.kernel.org/r/13ea227620aaad8a7231d42ed03a8508297d4eb3.1567027079.git.jan.kundrat@cesnet.cz Signed-off-by: Greg Kroah-Hartman --- drivers/tty/serial/max310x.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'drivers/tty') diff --git a/drivers/tty/serial/max310x.c b/drivers/tty/serial/max310x.c index e6c48a99bd85..0e0c2740ec7e 100644 --- a/drivers/tty/serial/max310x.c +++ b/drivers/tty/serial/max310x.c @@ -689,7 +689,7 @@ static void max310x_handle_rx(struct uart_port *port, unsigned int rxlen) * tail. */ uart_insert_char(port, sts, MAX310X_LSR_RXOVR_BIT, - one->rx_buf[rxlen], flag); + one->rx_buf[rxlen-1], flag); } else { if (unlikely(rxlen >= port->fifosize)) { -- cgit v1.2.3-58-ga151