staging: unisys: visorchannel_write() fix potential memory corruption

This fixes the memory corruption case, if nbytes is less than offset and sizeof(struct channel_header) Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Jes Sorensen <Jes.Sorensen@redhat.com> Signed-off-by: Benjamin Romer <benjamin.romer@unisys.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Jes Sorensen <Jes.Sorensen@redhat.com> 2015-06-16 09:13:33 -0400
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2015-06-16 14:36:39 -0700
commit: 56df900cb44d18c3ffaf16e09b83aaf37d912cc5 (patch)
tree: fbee1de66a2ee35d637cb7b27718c608e5c97caf /drivers/staging/unisys
parent: 68905a14e49c97bf49dacd753e40ddd5b254e2ad (diff)
download: linux-56df900cb44d18c3ffaf16e09b83aaf37d912cc5.tar.gz
linux-56df900cb44d18c3ffaf16e09b83aaf37d912cc5.tar.bz2
linux-56df900cb44d18c3ffaf16e09b83aaf37d912cc5.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/staging/unisys/visorbus/visorchannel.c b/drivers/staging/unisys/visorbus/visorchannel.c
index b1155ab9eeeb..20b63496e9f2 100644
--- a/drivers/staging/unisys/visorbus/visorchannel.c
+++ b/drivers/staging/unisys/visorbus/visorchannel.c
@@ -258,7 +258,7 @@ visorchannel_write(struct visorchannel *channel, ulong offset,
 		return -EIO;
 
 	if (offset < chdr_size) {
-		copy_size = min(chdr_size, nbytes) - offset;
+		copy_size = min(chdr_size - offset, nbytes);
 		memcpy(&channel->chan_hdr + offset, local, copy_size);
 	}
author	Jes Sorensen <Jes.Sorensen@redhat.com>	2015-06-16 09:13:33 -0400
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2015-06-16 14:36:39 -0700
commit	56df900cb44d18c3ffaf16e09b83aaf37d912cc5 (patch)
tree	fbee1de66a2ee35d637cb7b27718c608e5c97caf /drivers/staging/unisys
parent	68905a14e49c97bf49dacd753e40ddd5b254e2ad (diff)
download	linux-56df900cb44d18c3ffaf16e09b83aaf37d912cc5.tar.gz linux-56df900cb44d18c3ffaf16e09b83aaf37d912cc5.tar.bz2 linux-56df900cb44d18c3ffaf16e09b83aaf37d912cc5.zip