summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTilman Schmidt <tilman@imap.cc>2010-03-16 08:04:01 +0100
committerDavid S. Miller <davem@davemloft.net>2010-03-16 22:15:41 +0100
commit6ad34145cf809384359fe513481d6e16638a57a3 (patch)
tree33e57286febf0bfbbc8c276f2858de9327b8516f
parentbridge: Fix br_forward crash in promiscuous mode (diff)
downloadlinux-6ad34145cf809384359fe513481d6e16638a57a3.tar.xz
linux-6ad34145cf809384359fe513481d6e16638a57a3.zip
gigaset: correct range checking off by one error
Correct a potential array overrun due to an off by one error in the range check on the CAPI CONNECT_REQ CIPValue parameter. Found and reported by Dan Carpenter using smatch. Impact: bugfix Signed-off-by: Tilman Schmidt <tilman@imap.cc> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--drivers/isdn/gigaset/capi.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/isdn/gigaset/capi.c b/drivers/isdn/gigaset/capi.c
index 4a31962ddf71..0220c19351d9 100644
--- a/drivers/isdn/gigaset/capi.c
+++ b/drivers/isdn/gigaset/capi.c
@@ -1301,7 +1301,7 @@ static void do_connect_req(struct gigaset_capi_ctr *iif,
}
/* check parameter: CIP Value */
- if (cmsg->CIPValue > ARRAY_SIZE(cip2bchlc) ||
+ if (cmsg->CIPValue >= ARRAY_SIZE(cip2bchlc) ||
(cmsg->CIPValue > 0 && cip2bchlc[cmsg->CIPValue].bc == NULL)) {
dev_notice(cs->dev, "%s: unknown CIP value %d\n",
"CONNECT_REQ", cmsg->CIPValue);