From: Tilman Schmidt Date: Tue, 16 Mar 2010 07:04:01 +0000 (+0000) Subject: gigaset: correct range checking off by one error X-Git-Tag: v2.6.33.2~108 X-Git-Url: https://git.karo-electronics.de/?a=commitdiff_plain;h=f3cfe648b427db8768a1039cfd201842ae8a4a1d;p=karo-tx-linux.git gigaset: correct range checking off by one error commit 6ad34145cf809384359fe513481d6e16638a57a3 upstream. Correct a potential array overrun due to an off by one error in the range check on the CAPI CONNECT_REQ CIPValue parameter. Found and reported by Dan Carpenter using smatch. Impact: bugfix Signed-off-by: Tilman Schmidt Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- diff --git a/drivers/isdn/gigaset/capi.c b/drivers/isdn/gigaset/capi.c index b7f2ebb50008..6b6c25d279be 100644 --- a/drivers/isdn/gigaset/capi.c +++ b/drivers/isdn/gigaset/capi.c @@ -1313,7 +1313,7 @@ static void do_connect_req(struct gigaset_capi_ctr *iif, } /* check parameter: CIP Value */ - if (cmsg->CIPValue > ARRAY_SIZE(cip2bchlc) || + if (cmsg->CIPValue >= ARRAY_SIZE(cip2bchlc) || (cmsg->CIPValue > 0 && cip2bchlc[cmsg->CIPValue].bc == NULL)) { dev_notice(cs->dev, "%s: unknown CIP value %d\n", "CONNECT_REQ", cmsg->CIPValue);