From: Alexander Nyberg This fixes a theoretical bug indicated in: http://bugme.osdl.org/show_bug.cgi?id=240 It prevents overflow in case the required buffer is larger than the passed buffer. This I found to be the minimally intrusive change. Signed-off-by: Alexander Nyberg Signed-off-by: Andrew Morton --- 25-akpm/drivers/parport/probe.c | 13 +++++++++++-- 1 files changed, 11 insertions(+), 2 deletions(-) diff -puN drivers/parport/probe.c~off-by-one-in-drivers-parport-probec drivers/parport/probe.c --- 25/drivers/parport/probe.c~off-by-one-in-drivers-parport-probec 2004-12-01 23:18:59.675275416 -0800 +++ 25-akpm/drivers/parport/probe.c 2004-12-01 23:18:59.679274808 -0800 @@ -164,8 +164,16 @@ ssize_t parport_device_id (int devnum, c if (retval != 2) goto end_id; idlen = (length[0] << 8) + length[1] - 2; - if (idlen < len) + /* + * Check if the caller-allocated buffer is large enough + * otherwise bail out or there will be an at least off by one. + */ + if (idlen + 1 < len) len = idlen; + else { + retval = -EINVAL; + goto out; + } retval = parport_read (dev->port, buffer, len); if (retval != len) @@ -205,11 +213,12 @@ ssize_t parport_device_id (int devnum, c buffer[len] = '\0'; parport_negotiate (dev->port, IEEE1284_MODE_COMPAT); } - parport_release (dev); if (retval > 2) parse_data (dev->port, dev->daisy, buffer); +out: + parport_release (dev); parport_close (dev); return retval; } _