Message ID | 20100316172048.CBC5240116@xenon.ts.pxnet.com |
---|---|
State | Accepted, archived |
Delegated to: | David Miller |
Headers | show |
From: Tilman Schmidt <tilman@imap.cc> Date: Tue, 16 Mar 2010 18:04:01 +0100 > Correct a potential array overrun due to an off by one error in the > range check on the CAPI CONNECT_REQ CIPValue parameter. > Found and reported by Dan Carpenter using smatch. > > Impact: bugfix > Signed-off-by: Tilman Schmidt <tilman@imap.cc> Applied. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/drivers/isdn/gigaset/capi.c b/drivers/isdn/gigaset/capi.c index 4a31962..0220c19 100644 --- a/drivers/isdn/gigaset/capi.c +++ b/drivers/isdn/gigaset/capi.c @@ -1301,7 +1301,7 @@ static void do_connect_req(struct gigaset_capi_ctr *iif, } /* check parameter: CIP Value */ - if (cmsg->CIPValue > ARRAY_SIZE(cip2bchlc) || + if (cmsg->CIPValue >= ARRAY_SIZE(cip2bchlc) || (cmsg->CIPValue > 0 && cip2bchlc[cmsg->CIPValue].bc == NULL)) { dev_notice(cs->dev, "%s: unknown CIP value %d\n", "CONNECT_REQ", cmsg->CIPValue);
Correct a potential array overrun due to an off by one error in the range check on the CAPI CONNECT_REQ CIPValue parameter. Found and reported by Dan Carpenter using smatch. Impact: bugfix Signed-off-by: Tilman Schmidt <tilman@imap.cc> --- drivers/isdn/gigaset/capi.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)