aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTilman Schmidt <tilman@imap.cc>2010-03-16 07:04:01 +0000
committerDavid S. Miller <davem@davemloft.net>2010-03-16 14:15:41 -0700
commit6ad34145cf809384359fe513481d6e16638a57a3 (patch)
tree33e57286febf0bfbbc8c276f2858de9327b8516f
parent7f7708f0055e49e331f267700aa8b2ee879f004c (diff)
downloadkernel_samsung_tuna-6ad34145cf809384359fe513481d6e16638a57a3.zip
kernel_samsung_tuna-6ad34145cf809384359fe513481d6e16638a57a3.tar.gz
kernel_samsung_tuna-6ad34145cf809384359fe513481d6e16638a57a3.tar.bz2
gigaset: correct range checking off by one error
Correct a potential array overrun due to an off by one error in the range check on the CAPI CONNECT_REQ CIPValue parameter. Found and reported by Dan Carpenter using smatch. Impact: bugfix Signed-off-by: Tilman Schmidt <tilman@imap.cc> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--drivers/isdn/gigaset/capi.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/isdn/gigaset/capi.c b/drivers/isdn/gigaset/capi.c
index 4a31962..0220c19 100644
--- a/drivers/isdn/gigaset/capi.c
+++ b/drivers/isdn/gigaset/capi.c
@@ -1301,7 +1301,7 @@ static void do_connect_req(struct gigaset_capi_ctr *iif,
}
/* check parameter: CIP Value */
- if (cmsg->CIPValue > ARRAY_SIZE(cip2bchlc) ||
+ if (cmsg->CIPValue >= ARRAY_SIZE(cip2bchlc) ||
(cmsg->CIPValue > 0 && cip2bchlc[cmsg->CIPValue].bc == NULL)) {
dev_notice(cs->dev, "%s: unknown CIP value %d\n",
"CONNECT_REQ", cmsg->CIPValue);