serial167: fix read buffer overflow

Check whether index is within bounds before grabbing the element.

Also, since NR_PORTS is defined ARRAY_SIZE(cy_port), cy_port[NR_PORTS] is
out of bounds as well.

[akpm@linux-foundation.org: cleanup, remove (long) casts]
Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
Cc: Jiri Slaby <jirislaby@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

diff --git a/drivers/char/serial167.c b/drivers/char/serial167.c
index 5942a9d..452370a 100644 (file)
--- a/drivers/char/serial167.c
+++ b/drivers/char/serial167.c
@@ -220,8 +220,7 @@ static inline int serial_paranoia_check(struct cyclades_port *info, char *name,
                return 1;
        }
 
-       if ((long)info < (long)(&cy_port[0])
-           || (long)(&cy_port[NR_PORTS]) < (long)info) {
+       if (info < &cy_port[0] || info >= &cy_port[NR_PORTS]) {
                printk("Warning: cyclades_port out of range for (%s) in %s\n",
                                name, routine);
                return 1;
@@ -520,15 +519,13 @@ static irqreturn_t cd2401_tx_interrupt(int irq, void *dev_id)
                panic("TxInt on debug port!!!");
        }
 #endif
-
-       info = &cy_port[channel];
-
        /* validate the port number (as configured and open) */
        if ((channel < 0) || (NR_PORTS <= channel)) {
                base_addr[CyIER] &= ~(CyTxMpty | CyTxRdy);
                base_addr[CyTEOIR] = CyNOTRANS;
                return IRQ_HANDLED;
        }
+       info = &cy_port[channel];
        info->last_active = jiffies;
        if (info->tty == 0) {
                base_addr[CyIER] &= ~(CyTxMpty | CyTxRdy);