Gitiles
Code Review Sign In
review.shift-gmbh.com / SHIFTPHONES / kernel / shift / mainline / a6a61c5494145c904bead0cceadd94080bd3a784^! / . / drivers / isdn / i4l / isdn_tty.c
commita6a61c5494145c904bead0cceadd94080bd3a784[log] [tgz]
authorEric Sesterhenn <snakebyte@gmx.de>Sat May 20 15:00:12 2006 -0700
committerLinus Torvalds <torvalds@g5.osdl.org>Sun May 21 12:59:18 2006 -0700
tree7b0af71fd46a86da830c1ae3c0391fa9e55dee53
parent92d1dbd27417c54c23aac6a84c285e256f6118b6 [diff] [blame]
[PATCH] Overrun in isdn_tty.c

This fixes coverity bug id #1237.  After the while loop, it is possible for
i == ISDN_LMSNLEN.  If this happens the terminating '\0' is written after
the end of the array.

Signed-off-by: Eric Sesterhenn <snakebyte@gmx.de>
Cc: Karsten Keil <kkeil@suse.de>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>

diff --git a/drivers/isdn/i4l/isdn_tty.c b/drivers/isdn/i4l/isdn_tty.c
index 3585fb1..2ac9024 100644
--- a/drivers/isdn/i4l/isdn_tty.c
+++ b/drivers/isdn/i4l/isdn_tty.c

@@ -2880,7 +2880,7 @@
 			p[0]++;
 			i = 0;
 			while (*p[0] && (strchr("0123456789,-*[]?;", *p[0])) &&
-			       (i < ISDN_LMSNLEN))
+			       (i < ISDN_LMSNLEN - 1))
 				m->lmsn[i++] = *p[0]++;
 			m->lmsn[i] = '\0';
 			break;