From 63c8a58d226a0701272b54015a8d73643d72cd3d Mon Sep 17 00:00:00 2001 From: Axel Lin Date: Fri, 24 Jun 2011 15:34:16 +0800 Subject: [PATCH] mfd: Fix off-by-one value range checking for tps65912_i2c_write If bytes == (TPS6591X_MAX_REGISTER + 1), we have a buffer overflow when doing memcpy(&msg[1], src, bytes). Signed-off-by: Axel Lin Signed-off-by: Samuel Ortiz --- drivers/mfd/tps65912-i2c.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/mfd/tps65912-i2c.c b/drivers/mfd/tps65912-i2c.c index 9ed123a..c041f2c 100644 --- a/drivers/mfd/tps65912-i2c.c +++ b/drivers/mfd/tps65912-i2c.c @@ -57,7 +57,7 @@ static int tps65912_i2c_write(struct tps65912 *tps65912, u8 reg, u8 msg[TPS6591X_MAX_REGISTER + 1]; int ret; - if (bytes > (TPS6591X_MAX_REGISTER + 1)) + if (bytes > TPS6591X_MAX_REGISTER) return -EINVAL; msg[0] = reg; -- 2.7.4