mfd: Fix off-by-one value range checking for tps65910_i2c_write

If bytes == (TPS65910_MAX_REGISTER + 1), we have a buffer overflow when doing memcpy(&msg[1], src, bytes). Signed-off-by: Axel Lin <axel.lin@gmail.com> Acked-by: Samuel Ortiz <sameo@linux.intel.com> Signed-off-by: Liam Girdwood <lrg@slimlogic.co.uk>
2011-05-16 22:19:01 +08:00 · 2011-05-16 22:19:01 +08:00 · 0514e9acd7
parent 4aa922c024
commit 0514e9acd7
1 changed files with 1 additions and 1 deletions
--- a/drivers/mfd/tps65910.c
+++ b/drivers/mfd/tps65910.c
@ -71,7 +71,7 @@ static int tps65910_i2c_write(struct tps65910 *tps65910, u8 reg,
 	u8 msg[TPS65910_MAX_REGISTER + 1];
 	int ret;

-	if (bytes > (TPS65910_MAX_REGISTER + 1))
+	if (bytes > TPS65910_MAX_REGISTER)
 		return -EINVAL;

 	msg[0] = reg;