While working on a serial driver for AMBA-style serial ports (an ARM
special thing), and I've just spotted an overrun bug in the overrun
code of the 16x50 serial driver:
if (*status & UART_LSR_OE) {
/*
* Overrun is special, since it's
* reported immediately, and doesn't
* affect the current character
*/
tty->flip.count++;
tty->flip.flag_buf_ptr++;
tty->flip.char_buf_ptr++;
! *tty->flip.flag_buf_ptr = TTY_OVERRUN;
if (tty->flip.count >= TTY_FLIPBUF_SIZE)
goto ignore_char;
}
At the marked line (! - line 647), what if flip.count is equal to
TTY_FLIPBUF_SIZE? Surely we're writing to a character outside the
flag_buf_ptr array? If that is the case, should we not move this
like until after the "goto ignore_char"? Also, does it matter that
we don't place a character in the character buffer at the overrun
position?
Hmm, I wonder how many other serial drivers have this bug in. ;(
_____
|_____| ------------------------------------------------- ---+---+-
| | Russell King [EMAIL PROTECTED] --- ---
| | | | http://www.arm.linux.org.uk/personal/aboutme.html / / |
| +-+-+ --- -+-
/ | THE developer of ARM Linux |+| /|\
/ | | | --- |
+-+-+ ------------------------------------------------- /\\\ |
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
Please read the FAQ at http://www.tux.org/lkml/
