[PATCH 067/641] Staging: comedi: s626: Possible read buffer overflow fix

Tue Sep 15 19:04:58 UTC 2009

From: Roel Kluin <roel.kluin at gmail.com>

If `cmd->chanlist_len' is 0, then we write ppl[-1].

Signed-off-by: Roel Kluin <roel.kluin at gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
---
 drivers/staging/comedi/drivers/s626.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/drivers/staging/comedi/drivers/s626.c b/drivers/staging/comedi/drivers/s626.c
index 6549d11..80d2787 100644
--- a/drivers/staging/comedi/drivers/s626.c
+++ b/drivers/staging/comedi/drivers/s626.c
@@ -1707,7 +1707,8 @@ static int s626_ai_load_polllist(uint8_t * ppl, struct comedi_cmd *cmd)
 		else
 			ppl[n] = (CR_CHAN((cmd->chanlist)[n])) | (RANGE_10V);
 	}
-	ppl[n - 1] |= EOPL;
+	if (n != 0)
+		ppl[n - 1] |= EOPL;
 
 	return n;
 }
-- 
1.6.4.2


