From: Bjorn Helgaas <bjorn.helgaas@hp.com>

early_serial_setup() doesn't validate the array index, so a caller could
corrupt memory after serial8250_ports[] by supplying a value of port->line
that's too large.

I haven't seen a failure related to this, but it seems fragile to rely on
callers to know how many ports the driver supports.



 25-akpm/drivers/serial/8250.c |    3 +++
 1 files changed, 3 insertions(+)

diff -puN drivers/serial/8250.c~early_serial_setup-range-check drivers/serial/8250.c
--- 25/drivers/serial/8250.c~early_serial_setup-range-check	Thu Oct 16 16:09:42 2003
+++ 25-akpm/drivers/serial/8250.c	Thu Oct 16 16:09:42 2003
@@ -2099,6 +2099,9 @@ int register_serial(struct serial_struct
 
 int __init early_serial_setup(struct uart_port *port)
 {
+	if (port->line >= ARRAY_SIZE(serial8250_ports))
+		return -ENODEV;
+
 	serial8250_isa_init_ports();
 	serial8250_ports[port->line].port	= *port;
 	serial8250_ports[port->line].port.ops	= &serial8250_pops;

_