From: Dan Carpenter <error27@gmail.com>
Date: Fri, 15 Oct 2010 03:42:00 +0000 (+0200)
Subject: Staging: ft1000-usb: fix array overflow
X-Git-Tag: v2.6.37-rc1~60^2~3^2~93
X-Git-Url: https://asedeno.scripts.mit.edu/gitweb/?a=commitdiff_plain;h=fcbf77bf872c28ac3f18261a44af91383f0a2f3d;p=linux.git

Staging: ft1000-usb: fix array overflow

The code here is supposed checking if we exited the loop without hitting
a break.  The problem is that in the error handling "i" is out of bounds
and it corrupts memory when we do an info->app_info[i].nRxMsgMiss++.
>From the comments, it looks like someone noticed this corruption and
updated the code, but didn't totally fix the problem.  The correct fix
is just to remove nRxMsgMiss++ from the error path.

I believe this bug can be triggered remotely.

Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---

diff --git a/drivers/staging/ft1000/ft1000-usb/ft1000_hw.c b/drivers/staging/ft1000/ft1000-usb/ft1000_hw.c
index 84985388d80a..0ff89c0d31b3 100644
--- a/drivers/staging/ft1000/ft1000-usb/ft1000_hw.c
+++ b/drivers/staging/ft1000/ft1000-usb/ft1000_hw.c
@@ -2615,8 +2615,7 @@ int ft1000_poll(void* dev_id) {
                                    }
                                }
 
-                               if (i==(MAX_NUM_APP-1)) {		// aelias [+] reason: was out of array boundary
-                                   info->app_info[i].nRxMsgMiss++;
+                               if (i == MAX_NUM_APP) {
                                    DEBUG("FT1000:ft1000_parse_dpram_msg: No application matching id = %d\n", ppseudo_hdr->portdest);
                                    // Put memory back to free pool
                                    ft1000_free_buffer(pdpram_blk, &freercvpool);