diff options
| author | Dan Carpenter <dan.carpenter@oracle.com> | 2015-10-19 13:16:49 +0300 |
|---|---|---|
| committer | Ben Hutchings <ben@decadent.org.uk> | 2015-11-27 12:48:25 +0000 |
| commit | a8ab3e639d481658fc9da76de80485a5247c3a68 (patch) | |
| tree | 10d81c51d288af7166873da26d871b7ae39ee2e6 | |
| parent | b208d27d457678cab6584d29c1db827a696c7f2b (diff) | |
irda: precedence bug in irlmp_seq_hb_idx()
[ Upstream commit 50010c20597d14667eff0fdb628309986f195230 ]
This is decrementing the pointer, instead of the value stored in the
pointer. KASan detects it as an out of bounds reference.
Reported-by: "Berry Cheng 程君(成淼)" <chengmiao.cj@alibaba-inc.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
| -rw-r--r-- | net/irda/irlmp.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/net/irda/irlmp.c b/net/irda/irlmp.c index 6115a44c0a24..0721f82114d5 100644 --- a/net/irda/irlmp.c +++ b/net/irda/irlmp.c @@ -1868,7 +1868,7 @@ static void *irlmp_seq_hb_idx(struct irlmp_iter_state *iter, loff_t *off) for (element = hashbin_get_first(iter->hashbin); element != NULL; element = hashbin_get_next(iter->hashbin)) { - if (!off || *off-- == 0) { + if (!off || (*off)-- == 0) { /* NB: hashbin left locked */ return element; } |