From 8016c3da0cc263f257e802fae36482eaad2d04fa Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20Kundr=C3=A1t?= <jan.kundrat@cesnet.cz>
Date: Wed, 28 Aug 2019 19:56:26 +0200
Subject: [PATCH] tty: max310x: fix off-by-one buffer access when storing overrun
Mime-version: 1.0
Content-type: text/plain; charset=UTF-8
Content-transfer-encoding: 8bit
Git-commit: 8016c3da0cc263f257e802fae36482eaad2d04fa
Patch-mainline: v5.4-rc1
References: git-fixes

A recent change split the insertion loop into two parts. The first part
accessed bytes 0, 1, ... (rxlen - 2), and the second part by mistake
took offset `rxlen` instead of the correct `rxlen - 1`. So one byte was
not stored, and the final access wrote past the end of the rx_buf.

Fixes: 9c12d739d69b (tty: max310x: Split uart characters insertion loop)
Signed-off-by: Jan Kundrát <jan.kundrat@cesnet.cz>
Reviewed-by: Serge Semin <fancer.lancer@gmail.com>
Link: https://lore.kernel.org/r/13ea227620aaad8a7231d42ed03a8508297d4eb3.1567027079.git.jan.kundrat@cesnet.cz
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Acked-by: Takashi Iwai <tiwai@suse.de>

---
 drivers/tty/serial/max310x.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/tty/serial/max310x.c b/drivers/tty/serial/max310x.c
index e6c48a99bd85..0e0c2740ec7e 100644
--- a/drivers/tty/serial/max310x.c
+++ b/drivers/tty/serial/max310x.c
@@ -689,7 +689,7 @@ static void max310x_handle_rx(struct uart_port *port, unsigned int rxlen)
 		 * tail.
 		 */
 		uart_insert_char(port, sts, MAX310X_LSR_RXOVR_BIT,
-				 one->rx_buf[rxlen], flag);
+				 one->rx_buf[rxlen-1], flag);
 
 	} else {
 		if (unlikely(rxlen >= port->fifosize)) {
-- 
2.16.4