From patchwork Sun Jul 20 13:49:12 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tilman Schmidt X-Patchwork-Id: 371898 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 621FD140119 for ; Mon, 21 Jul 2014 00:18:12 +1000 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752646AbaGTOSG (ORCPT ); Sun, 20 Jul 2014 10:18:06 -0400 Received: from gimli.pxnet.com ([89.1.7.7]:35188 "EHLO mail.pxnet.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752623AbaGTOSE (ORCPT ); Sun, 20 Jul 2014 10:18:04 -0400 X-Greylist: delayed 1095 seconds by postgrey-1.27 at vger.kernel.org; Sun, 20 Jul 2014 10:18:04 EDT Received: from xenon.ts.pxnet.com (p5DE8D773.dip0.t-ipconnect.de [93.232.215.115]) (user=ts author=<> mech=DIGEST-MD5 bits=0) by mail.pxnet.com (8.13.8/8.13.8) with ESMTP id s6KDnGZm024300 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Sun, 20 Jul 2014 15:49:19 +0200 Received: by xenon.ts.pxnet.com (Postfix, from userid 1000) id 13895140074; Sun, 20 Jul 2014 15:49:12 +0200 (CEST) To: netdev@vger.kernel.org CC: David Miller , Dan Carpenter , Karsten Keil , isdn4linux@listserv.isdn4linux.de From: Tilman Schmidt Subject: [PATCH] isdn/capi: avoid index overrun from command_2_index() Message-Id: <20140720134913.13895140074@xenon.ts.pxnet.com> Date: Sun, 20 Jul 2014 15:49:12 +0200 (CEST) X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.7 (mail.pxnet.com [89.1.7.7]); Sun, 20 Jul 2014 15:49:24 +0200 (CEST) X-Scanned-By: MIMEDefang 2.70 on 89.1.7.7 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org The result of the function command_2_index() is used to index two arrays mnames[] and cpars[] with max. index 0x4e but in its current form that function can produce results up to 3*(0x9+0x9)+0x7f = 0xb5. Legal values for the function's first argument (c) according to the CAPI 2.0 standard are 0x00..0x08, 0x41, 0x80, 0x82..0x88, and 0xff. This patch modifies command_2_index() in such a way that the result is unchanged for legal values of c, and guaranteed to be less or equal to 0x4e for any argument values. Reported-by: Dan Carpenter Signed-off-by: Tilman Schmidt --- drivers/isdn/capi/capiutil.c | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/drivers/isdn/capi/capiutil.c b/drivers/isdn/capi/capiutil.c index 6e797e5..b666d8b 100644 --- a/drivers/isdn/capi/capiutil.c +++ b/drivers/isdn/capi/capiutil.c @@ -201,15 +201,10 @@ static unsigned char *cpars[] = #define structTRcpyovl(x, y, l) memmove(y, x, l) /*-------------------------------------------------------*/ -static unsigned command_2_index(unsigned c, unsigned sc) +static unsigned command_2_index(u8 c, u8 sc) { - if (c & 0x80) + if (c & 0xf0) c = 0x9 + (c & 0x0f); - else if (c <= 0x0f); - else if (c == 0x41) - c = 0x9 + 0x1; - else if (c == 0xff) - c = 0x00; return (sc & 3) * (0x9 + 0x9) + c; }