Blame 0219-cadence_uart-Fix-buffer-overflow.patch

5544c1
From d563cd7529186355aa8dc11e2cc7d16342dca1c9 Mon Sep 17 00:00:00 2001
5544c1
From: Stefan Weil <sw@weilnetz.de>
5544c1
Date: Sat, 1 Sep 2012 11:12:23 +0200
5544c1
Subject: [PATCH] cadence_uart: Fix buffer overflow
5544c1
5544c1
Report from smatch:
5544c1
hw/cadence_uart.c:413 uart_read(13) error: buffer overflow 's->r' 18 <= 18
5544c1
5544c1
This fixes read access to s->r[R_MAX] which is behind the limits of s->r.
5544c1
5544c1
Signed-off-by: Stefan Weil <sw@weilnetz.de>
5544c1
Signed-off-by: Stefan Hajnoczi <stefanha@gmail.com>
5544c1
(cherry picked from commit 5d40097fc09fe5d34cf316a411dc27d455ac2cd0)
5544c1
5544c1
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
5544c1
---
5544c1
 hw/cadence_uart.c | 2 +-
5544c1
 1 file changed, 1 insertion(+), 1 deletion(-)
5544c1
5544c1
diff --git a/hw/cadence_uart.c b/hw/cadence_uart.c
5544c1
index d98e531..f8afc4e 100644
5544c1
--- a/hw/cadence_uart.c
5544c1
+++ b/hw/cadence_uart.c
5544c1
@@ -404,7 +404,7 @@ static uint64_t uart_read(void *opaque, target_phys_addr_t offset,
5544c1
     uint32_t c = 0;
5544c1
 
5544c1
     offset >>= 2;
5544c1
-    if (offset > R_MAX) {
5544c1
+    if (offset >= R_MAX) {
5544c1
         return 0;
5544c1
     } else if (offset == R_TX_RX) {
5544c1
         uart_read_rx_fifo(s, &c);
5544c1
-- 
5544c1
1.7.12.1
5544c1