[Patch] Overrun in isdn_tty.c

From: Eric Sesterhenn / Snakebyte
Date: Tue May 16 2006 - 04:35:32 EST

Next message: Chris Wright: "Re: [PATCH] Gerd Hoffman's move-vsyscall-into-user-address-range patch"
Previous message: Muli Ben-Yehuda: "Re: /dev/random on Linux"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

hi,

this fixes coverity bug id #1237. After the while loop,
it is possible for i == ISDN_LMSNLEN. If this happens
the terminating '\0' is written after the end of the array.

Signed-off-by: Eric Sesterhenn <snakebyte@xxxxxx>

--- linux-2.6.17-rc4-git2/drivers/isdn/i4l/isdn_tty.c.orig 2006-05-16 10:27:29.000000000 +0200
+++ linux-2.6.17-rc4-git2/drivers/isdn/i4l/isdn_tty.c 2006-05-16 10:27:50.000000000 +0200
@@ -2880,7 +2880,7 @@ isdn_tty_cmd_ATand(char **p, modem_info
p[0]++;
i = 0;
while (*p[0] && (strchr("0123456789,-*[]?;", *p[0])) &&
- (i < ISDN_LMSNLEN))
+ (i < ISDN_LMSNLEN - 1))
m->lmsn[i++] = *p[0]++;
m->lmsn[i] = '\0';
break;

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Chris Wright: "Re: [PATCH] Gerd Hoffman's move-vsyscall-into-user-address-range patch"
Previous message: Muli Ben-Yehuda: "Re: /dev/random on Linux"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]