[PATCH 11/11] hvcbeat: fix buffer manipulation

[Ishizaki Kou]

This patch fixes a potential bug at drivers/char/hvc_beat.c.
 - hvc_put_term_char routine will decrement "rest" variable twice,
   and forget to advance "buf" pointer by "nlen" bytes.
This bug was not hit because the output handler in
drivers/char/hvc_console.c splits given output into 16 bytes
at maximum.

This patch is one of a series that I posted on Mar.14, "celleb:
patchset for 2.6.26 (take2)". I send this again because it
would be lost.

Reported-by: Timur Tabi <timur at freescale.com>
Signed-off-by: Kou Ishizaki <kou.ishizaki at toshiba.co.jp>
Acked-by: Arnd Bergmann <arnd at arndb.de>
---
 drivers/char/hvc_beat.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Index: b/drivers/char/hvc_beat.c
===================================================================
--- a/drivers/char/hvc_beat.c	2008-03-10 14:11:57.000000000 +0900
+++ b/drivers/char/hvc_beat.c	2008-03-10 14:13:40.000000000 +0900
@@ -78,8 +78,8 @@
 	for (rest = cnt; rest > 0; rest -= nlen) {
 		nlen = (rest > 16) ? 16 : rest;
 		memcpy(kb, buf, nlen);
-		beat_put_term_char(vtermno, rest, kb[0], kb[1]);
-		rest -= nlen;
+		beat_put_term_char(vtermno, nlen, kb[0], kb[1]);
+		buf += nlen;
 	}
 	return cnt;
 }