Prev: [044/156] gigaset: correct clearing of at_state strings on RING
Next: [058/156] SCSI: scsi_transport_fc: Fix synchronization issue while deleting vport
From: Greg KH on 30 Mar 2010 19:50
2.6.33-stable review patch. If anyone has any objections, please let us know.

------------------

From: Tilman Schmidt <tilman(a)imap.cc>

commit 6ad34145cf809384359fe513481d6e16638a57a3 upstream.

Correct a potential array overrun due to an off by one error in the
range check on the CAPI CONNECT_REQ CIPValue parameter.
Found and reported by Dan Carpenter using smatch.

Impact: bugfix
Signed-off-by: Tilman Schmidt <tilman(a)imap.cc>
Signed-off-by: David S. Miller <davem(a)davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh(a)suse.de>

---
drivers/isdn/gigaset/capi.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/isdn/gigaset/capi.c
+++ b/drivers/isdn/gigaset/capi.c
@@ -1313,7 +1313,7 @@ static void do_connect_req(struct gigase
}

/* check parameter: CIP Value */
- if (cmsg->CIPValue > ARRAY_SIZE(cip2bchlc) ||
+ if (cmsg->CIPValue >= ARRAY_SIZE(cip2bchlc) ||
(cmsg->CIPValue > 0 && cip2bchlc[cmsg->CIPValue].bc == NULL)) {
dev_notice(cs->dev, "%s: unknown CIP value %d\n",
"CONNECT_REQ", cmsg->CIPValue);


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo(a)vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
 | 
Pages: 1
Prev: [044/156] gigaset: correct clearing of at_state strings on RING
Next: [058/156] SCSI: scsi_transport_fc: Fix synchronization issue while deleting vport