mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2025-01-07 21:53:44 +00:00
pcmcia: avoid buffer overflow in pcmcia_setup_isa_irq
NR_IRQS may be as low as 16, causing a (harmless?) buffer overflow in pcmcia_setup_isa_irq(): static u8 pcmcia_used_irq[NR_IRQS]; ... if ((try < 32) && pcmcia_used_irq[irq]) continue; This is read-only, so if this address would be non-zero, it would just mean we would not attempt an IRQ >= NR_IRQS -- which would fail anyway! And as request_irq() fails for an irq >= NR_IRQS, the setting code path: pcmcia_used_irq[irq]++; is never reached as well. Reported-by: Christoph Fritz <chf.fritz@googlemail.com> CC: stable@kernel.org Signed-off-by: Dominik Brodowski <linux@dominikbrodowski.net> Signed-off-by: Christoph Fritz <chf.fritz@googlemail.com>
This commit is contained in:
parent
0f52e86ded
commit
127c03cdba
@ -677,7 +677,7 @@ EXPORT_SYMBOL(__pcmcia_request_exclusive_irq);
|
||||
#ifdef CONFIG_PCMCIA_PROBE
|
||||
|
||||
/* mask of IRQs already reserved by other cards, we should avoid using them */
|
||||
static u8 pcmcia_used_irq[NR_IRQS];
|
||||
static u8 pcmcia_used_irq[32];
|
||||
|
||||
static irqreturn_t test_action(int cpl, void *dev_id)
|
||||
{
|
||||
@ -700,6 +700,9 @@ static int pcmcia_setup_isa_irq(struct pcmcia_device *p_dev, int type)
|
||||
for (try = 0; try < 64; try++) {
|
||||
irq = try % 32;
|
||||
|
||||
if (irq > NR_IRQS)
|
||||
continue;
|
||||
|
||||
/* marked as available by driver, not blocked by userspace? */
|
||||
if (!((mask >> irq) & 1))
|
||||
continue;
|
||||
|
Loading…
Reference in New Issue
Block a user