On 3/28/2019 10:40 PM, Colin King wrote:
From: Colin Ian King <[email protected]> The return from tty_write_room could potentially be negative if a tty write_room driver returns an error number (not that any seem to do). Rather than just check for a zero return, also check for a -ve return. This avoids the unsigned nr being set to a large unsigned value on the assignment from variable space and can lead to overflowing the buffer buf. Better to be safe than assume all write_room implementations in tty drivers are going to do the right thing. Signed-off-by: Colin Ian King <[email protected]>
Looks reasonable to me. Reviewed-by: Mukesh Ojha <[email protected]> -Mukesh.
--- drivers/tty/n_tty.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c index 9cdb0fa3c4bf..66630787fbf9 100644 --- a/drivers/tty/n_tty.c +++ b/drivers/tty/n_tty.c @@ -550,7 +550,7 @@ static ssize_t process_output_block(struct tty_struct *tty, mutex_lock(&ldata->output_lock);space = tty_write_room(tty);- if (!space) { + if (space <= 0) { mutex_unlock(&ldata->output_lock); return 0; }
