gigaset: correct range checking off by one error

tilmanschmidt · davem330 · commit 6ad34145cf80 · 2010-03-16T14:15:41.000-07:00
Correct a potential array overrun due to an off by one error in the
range check on the CAPI CONNECT_REQ CIPValue parameter.
Found and reported by Dan Carpenter using smatch.

Impact: bugfix
Signed-off-by: Tilman Schmidt &lt;tilman@imap.cc&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
diff --git a/drivers/isdn/gigaset/capi.c b/drivers/isdn/gigaset/capi.c
@@ -1301,7 +1301,7 @@ static void do_connect_req(struct gigaset_capi_ctr *iif,
 	}
 
 	/* check parameter: CIP Value */
-	if (cmsg->CIPValue > ARRAY_SIZE(cip2bchlc) ||
+	if (cmsg->CIPValue >= ARRAY_SIZE(cip2bchlc) ||
 	    (cmsg->CIPValue > 0 && cip2bchlc[cmsg->CIPValue].bc == NULL)) {
 		dev_notice(cs->dev, "%s: unknown CIP value %d\n",
 			   "CONNECT_REQ", cmsg->CIPValue);

Original file line number	Diff line number	Diff line change
`@@ -1301,7 +1301,7 @@ static void do_connect_req(struct gigaset_capi_ctr *iif,`
`1301`	`1301`	`}`
`1302`	`1302`
`1303`	`1303`	`/* check parameter: CIP Value */`
`1304`		`- if (cmsg->CIPValue > ARRAY_SIZE(cip2bchlc) \|\|`
	`1304`	`+ if (cmsg->CIPValue >= ARRAY_SIZE(cip2bchlc) \|\|`
`1305`	`1305`	`(cmsg->CIPValue > 0 && cip2bchlc[cmsg->CIPValue].bc == NULL)) {`
`1306`	`1306`	`dev_notice(cs->dev, "%s: unknown CIP value %d\n",`
`1307`	`1307`	`"CONNECT_REQ", cmsg->CIPValue);`