diff mbox

media: dvb_ca_en50221: off by one in dvb_ca_en50221_io_do_ioctl()

Message ID 20180704094835.vzfqt44sqaga6aia@kili.mountain (mailing list archive)
State New, archived
Headers show

Commit Message

Dan Carpenter July 4, 2018, 9:48 a.m. UTC 
The > should be >= so we don't read one element beyond the end of the
ca->slot_info[] array.  The array is allocated in dvb_ca_en50221_init().

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

Comments

Jasmin J. July 5, 2018, 7:32 a.m. UTC | #1 
Hello Dan!

I checked this and this is in since ages. Good catch!

I did a quick look to the other places where this is checked also
and they seem all ok.

Acked-by: Jasmin Jessich <jasmin@anw.at>

BR,
   Jasmin
diff mbox

Patch

diff --git a/drivers/media/dvb-core/dvb_ca_en50221.c b/drivers/media/dvb-core/dvb_ca_en50221.c
index 1310526b0d49..4d371cea0d5d 100644
--- a/drivers/media/dvb-core/dvb_ca_en50221.c
+++ b/drivers/media/dvb-core/dvb_ca_en50221.c
@@ -1391,7 +1391,7 @@  static int dvb_ca_en50221_io_do_ioctl(struct file *file,
 		struct dvb_ca_slot *sl;
 
 		slot = info->num;
-		if ((slot > ca->slot_count) || (slot < 0)) {
+		if ((slot >= ca->slot_count) || (slot < 0)) {
 			err = -EINVAL;
 			goto out_unlock;
 		}