From patchwork Tue Mar 16 17:04:01 2010
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Tilman Schmidt <tilman@imap.cc>
X-Patchwork-Id: 47876
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id D5251B7DA0
	for <patchwork-incoming@ozlabs.org>;
	Wed, 17 Mar 2010 04:26:42 +1100 (EST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1759787Ab0CPR0K (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Tue, 16 Mar 2010 13:26:10 -0400
Received: from gimli.pxnet.com ([195.227.45.7]:46535 "EHLO mail.pxnet.com"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1756818Ab0CPR0J (ORCPT <rfc822;netdev@vger.kernel.org>);
	Tue, 16 Mar 2010 13:26:09 -0400
Received: from xenon.ts.pxnet.com ([10.8.0.10])
	(user=ts author=<> mech=DIGEST-MD5 bits=0)
	by mail.pxnet.com (8.13.8/8.13.8) with ESMTP id o2GHNOZc029490
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT);
	Tue, 16 Mar 2010 18:23:27 +0100
Received: by xenon.ts.pxnet.com (Postfix, from userid 1000)
	id CBC5240116; Tue, 16 Mar 2010 18:20:48 +0100 (CET)
From: Tilman Schmidt <tilman@imap.cc>
Date: Tue, 16 Mar 2010 18:04:01 +0100
Subject: [PATCH] gigaset: correct range checking off by one error
To: Karsten Keil <isdn@linux-pingi.de>,
	David Miller <davem@davemloft.net>
CC: Dan Carpenter <error27@gmail.com>, Hansjoerg Lipp <hjlipp@web.de>,
	isdn4linux <isdn4linux@listserv.isdn4linux.de>,
	i4ldeveloper <i4ldeveloper@listserv.isdn4linux.de>,
	netdev@vger.kernel.org, linux-kernel@vger.kernel.org, stable@kernel.org
Message-Id: <20100316172048.CBC5240116@xenon.ts.pxnet.com>
X-Spam-Score: -2.18 () AWL,BAYES_00,RDNS_NONE
X-Scanned-By: MIMEDefang 2.67 on 195.227.45.7
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

Correct a potential array overrun due to an off by one error in the
range check on the CAPI CONNECT_REQ CIPValue parameter.
Found and reported by Dan Carpenter using smatch.

Impact: bugfix
Signed-off-by: Tilman Schmidt <tilman@imap.cc>
---
 drivers/isdn/gigaset/capi.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/drivers/isdn/gigaset/capi.c b/drivers/isdn/gigaset/capi.c
index 4a31962..0220c19 100644
--- a/drivers/isdn/gigaset/capi.c
+++ b/drivers/isdn/gigaset/capi.c
@@ -1301,7 +1301,7 @@ static void do_connect_req(struct gigaset_capi_ctr *iif,
 	}
 
 	/* check parameter: CIP Value */
-	if (cmsg->CIPValue > ARRAY_SIZE(cip2bchlc) ||
+	if (cmsg->CIPValue >= ARRAY_SIZE(cip2bchlc) ||
 	    (cmsg->CIPValue > 0 && cip2bchlc[cmsg->CIPValue].bc == NULL)) {
 		dev_notice(cs->dev, "%s: unknown CIP value %d\n",
 			   "CONNECT_REQ", cmsg->CIPValue);