diff options
| author | Dan Carpenter <dan.carpenter@oracle.com> | 2015-10-19 13:16:49 +0300 |
|---|---|---|
| committer | Jiri Slaby <jslaby@suse.cz> | 2015-11-14 16:47:01 +0100 |
| commit | c75f0a0bfdec01eac652ad6a9eaa14e7ea5d85cb (patch) | |
| tree | ec463d5afde1f82c456ac04f92e17f80408441e0 | |
| parent | dc1546ee854c56780a29624d3bbf20a6fcd05574 (diff) | |
irda: precedence bug in irlmp_seq_hb_idx()
[ Upstream commit 50010c20597d14667eff0fdb628309986f195230 ]
This is decrementing the pointer, instead of the value stored in the
pointer. KASan detects it as an out of bounds reference.
Reported-by: "Berry Cheng 程君(成淼)" <chengmiao.cj@alibaba-inc.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
| -rw-r--r-- | net/irda/irlmp.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/net/irda/irlmp.c b/net/irda/irlmp.c index 98ad6ec4bd3c..8ad149478e19 100644 --- a/net/irda/irlmp.c +++ b/net/irda/irlmp.c @@ -1876,7 +1876,7 @@ static void *irlmp_seq_hb_idx(struct irlmp_iter_state *iter, loff_t *off) for (element = hashbin_get_first(iter->hashbin); element != NULL; element = hashbin_get_next(iter->hashbin)) { - if (!off || *off-- == 0) { + if (!off || (*off)-- == 0) { /* NB: hashbin left locked */ return element; } |