Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751304AbWCYL64 (ORCPT ); Sat, 25 Mar 2006 06:58:56 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1751374AbWCYL6z (ORCPT ); Sat, 25 Mar 2006 06:58:55 -0500 Received: from emailhub.stusta.mhn.de ([141.84.69.5]:47117 "HELO mailout.stusta.mhn.de") by vger.kernel.org with SMTP id S1751304AbWCYL6z (ORCPT ); Sat, 25 Mar 2006 06:58:55 -0500 Date: Sat, 25 Mar 2006 12:58:53 +0100 From: Adrian Bunk To: Andrew Morton Cc: linux-kernel@vger.kernel.org, Darren Jenkins Subject: [2.6 patch] fix array over-run in efi.c Message-ID: <20060325115853.GB4053@stusta.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.11+cvs20060126 Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1175 Lines: 40 From: Darren Jenkins Coverity found an over-run @ line 364 of efi.c This is due to the loop checking the size correctly, then adding a '\0' after possibly hitting the end of the array. The patch below just ensures the loop exits with one space left in the array. Compile tested. Signed-off-by: Darren Jenkins Signed-off-by: Adrian Bunk --- This patch was sent by Darren Jenkins on: - 08 Mar 2006 --- linux-2.6.16-rc5/arch/i386/kernel/efi.c.orig 2006-03-08 12:31:14.000000000 +1100 +++ linux-2.6.16-rc5/arch/i386/kernel/efi.c 2006-03-08 12:37:59.000000000 +1100 @@ -359,7 +359,7 @@ void __init efi_init(void) */ c16 = (efi_char16_t *) boot_ioremap(efi.systab->fw_vendor, 2); if (c16) { - for (i = 0; i < sizeof(vendor) && *c16; ++i) + for (i = 0; i < (sizeof(vendor) - 1) && *c16; ++i) vendor[i] = *c16++; vendor[i] = '\0'; } else - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/