From: Jes Sorensen Date: Tue, 16 Jun 2015 13:13:33 +0000 (-0400) Subject: staging: unisys: visorchannel_write() fix potential memory corruption X-Git-Url: https://git.karo-electronics.de/?a=commitdiff_plain;h=56df900cb44d18c3ffaf16e09b83aaf37d912cc5;p=linux-beck.git staging: unisys: visorchannel_write() fix potential memory corruption This fixes the memory corruption case, if nbytes is less than offset and sizeof(struct channel_header) Reported-by: Dan Carpenter Signed-off-by: Jes Sorensen Signed-off-by: Benjamin Romer Signed-off-by: Greg Kroah-Hartman --- diff --git a/drivers/staging/unisys/visorbus/visorchannel.c b/drivers/staging/unisys/visorbus/visorchannel.c index b1155ab9eeeb..20b63496e9f2 100644 --- a/drivers/staging/unisys/visorbus/visorchannel.c +++ b/drivers/staging/unisys/visorbus/visorchannel.c @@ -258,7 +258,7 @@ visorchannel_write(struct visorchannel *channel, ulong offset, return -EIO; if (offset < chdr_size) { - copy_size = min(chdr_size, nbytes) - offset; + copy_size = min(chdr_size - offset, nbytes); memcpy(&channel->chan_hdr + offset, local, copy_size); }