* [PATCH 11/11] hvcbeat: fix buffer manipulation
@ 2008-03-05 8:41 Ishizaki Kou
2008-03-05 11:51 ` Arnd Bergmann
0 siblings, 1 reply; 3+ messages in thread
From: Ishizaki Kou @ 2008-03-05 8:41 UTC (permalink / raw)
To: paulus; +Cc: linuxppc-dev
This patch fixes a potential bug at drivers/char/hvc_beat.c.
- hvc_put_term_char routine will decrement "rest" variable twice,
and forget to advance "buf" pointer by "nlen" bytes.
This bug was not hit because the output handler in
drivers/char/hvc_console.c splits given output into 16 bytes
at maximum.
Reported-by: Timur Tabi <timur@freescale•com>
Signed-off-by: Kou Ishizaki <kou.ishizaki@toshiba•co.jp>
---
drivers/char/hvc_beat.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
Index: b/drivers/char/hvc_beat.c
===================================================================
--- a/drivers/char/hvc_beat.c 2008-03-03 23:49:18.000000000 +0900
+++ b/drivers/char/hvc_beat.c 2008-03-04 15:14:35.000000000 +0900
@@ -78,8 +78,8 @@
for (rest = cnt; rest > 0; rest -= nlen) {
nlen = (rest > 16) ? 16 : rest;
memcpy(kb, buf, nlen);
- beat_put_term_char(vtermno, rest, kb[0], kb[1]);
- rest -= nlen;
+ beat_put_term_char(vtermno, nlen, kb[0], kb[1]);
+ buf += nlen;
}
return cnt;
}
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH 11/11] hvcbeat: fix buffer manipulation
2008-03-05 8:41 [PATCH 11/11] hvcbeat: fix buffer manipulation Ishizaki Kou
@ 2008-03-05 11:51 ` Arnd Bergmann
0 siblings, 0 replies; 3+ messages in thread
From: Arnd Bergmann @ 2008-03-05 11:51 UTC (permalink / raw)
To: linuxppc-dev; +Cc: paulus
On Wednesday 05 March 2008, Ishizaki Kou wrote:
> This patch fixes a potential bug at drivers/char/hvc_beat.c.
> =A0- hvc_put_term_char routine will decrement "rest" variable twice,
> =A0 =A0and forget to advance "buf" pointer by "nlen" bytes.
> This bug was not hit because the output handler in
> drivers/char/hvc_console.c splits given output into 16 bytes
> at maximum.
>=20
> Reported-by: Timur Tabi <timur@freescale•com>
> Signed-off-by: Kou Ishizaki <kou.ishizaki@toshiba•co.jp>
Acked-by: Arnd Bergmann <arnd@arndb•de>
obviously correct
^ permalink raw reply [flat|nested] 3+ messages in thread
* [PATCH 11/11] hvcbeat: fix buffer manipulation
@ 2008-03-17 10:05 Ishizaki Kou
0 siblings, 0 replies; 3+ messages in thread
From: Ishizaki Kou @ 2008-03-17 10:05 UTC (permalink / raw)
To: paulus; +Cc: linuxppc-dev
This patch fixes a potential bug at drivers/char/hvc_beat.c.
- hvc_put_term_char routine will decrement "rest" variable twice,
and forget to advance "buf" pointer by "nlen" bytes.
This bug was not hit because the output handler in
drivers/char/hvc_console.c splits given output into 16 bytes
at maximum.
This patch is one of a series that I posted on Mar.14, "celleb:
patchset for 2.6.26 (take2)". I send this again because it
would be lost.
Reported-by: Timur Tabi <timur@freescale•com>
Signed-off-by: Kou Ishizaki <kou.ishizaki@toshiba•co.jp>
Acked-by: Arnd Bergmann <arnd@arndb•de>
---
drivers/char/hvc_beat.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
Index: b/drivers/char/hvc_beat.c
===================================================================
--- a/drivers/char/hvc_beat.c 2008-03-10 14:11:57.000000000 +0900
+++ b/drivers/char/hvc_beat.c 2008-03-10 14:13:40.000000000 +0900
@@ -78,8 +78,8 @@
for (rest = cnt; rest > 0; rest -= nlen) {
nlen = (rest > 16) ? 16 : rest;
memcpy(kb, buf, nlen);
- beat_put_term_char(vtermno, rest, kb[0], kb[1]);
- rest -= nlen;
+ beat_put_term_char(vtermno, nlen, kb[0], kb[1]);
+ buf += nlen;
}
return cnt;
}
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2008-03-17 10:05 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-03-05 8:41 [PATCH 11/11] hvcbeat: fix buffer manipulation Ishizaki Kou
2008-03-05 11:51 ` Arnd Bergmann
-- strict thread matches above, loose matches on Subject: below --
2008-03-17 10:05 Ishizaki Kou
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox