From: David Brownell <david-b@pacbell.net>

Be differently paranoid about params from userspace: prevent
overflows too, 96 + 96 fits in an "unsigned long".

Signed-off-by: David Brownell <dbrownell@users.sourceforge.net>
Cc: Alessandro Zummo <a.zummo@towertech.it>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
---

 drivers/rtc/rtc-ds1305.c |    4 ++++
 1 file changed, 4 insertions(+)

diff -puN drivers/rtc/rtc-ds1305.c~rtc-ds1305-ds1306-driver-fix drivers/rtc/rtc-ds1305.c
--- a/drivers/rtc/rtc-ds1305.c~rtc-ds1305-ds1306-driver-fix
+++ a/drivers/rtc/rtc-ds1305.c
@@ -557,6 +557,8 @@ ds1305_nvram_read(struct kobject *kobj, 
 
 	if (unlikely(off >= DS1305_NVRAM_LEN))
 		return 0;
+	if (count >= DS1305_NVRAM_LEN)
+		count = DS1305_NVRAM_LEN;
 	if ((off + count) > DS1305_NVRAM_LEN)
 		count = DS1305_NVRAM_LEN - off;
 	if (unlikely(!count))
@@ -585,6 +587,8 @@ ds1305_nvram_write(struct kobject *kobj,
 
 	if (unlikely(off >= DS1305_NVRAM_LEN))
 		return -EFBIG;
+	if (count >= DS1305_NVRAM_LEN)
+		count = DS1305_NVRAM_LEN;
 	if ((off + count) > DS1305_NVRAM_LEN)
 		count = DS1305_NVRAM_LEN - off;
 	if (unlikely(!count))
_