diff options
author | Dan Carpenter <dan.carpenter@oracle.com> | 2012-03-26 21:20:48 +0000 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2012-03-27 22:42:32 -0400 |
commit | 819a100846295461bc0f1bfcb8e5ab11c1bc4cdb (patch) | |
tree | 60a01beefe73812d91e6459bcfa0cccd54ea2e59 /drivers/isdn/hardware/mISDN/avmfritz.c | |
parent | c54e9bd38a06babf94fd45e5f1df9a1109e12818 (diff) | |
download | op-kernel-dev-819a100846295461bc0f1bfcb8e5ab11c1bc4cdb.zip op-kernel-dev-819a100846295461bc0f1bfcb8e5ab11c1bc4cdb.tar.gz |
mISDN: array underflow in open_bchannel()
There are two channels here. User space starts counting channels at one
but in the kernel we start at zero. If the user passes in a zero
channel that's invalid and could lead to memory corruption.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'drivers/isdn/hardware/mISDN/avmfritz.c')
-rw-r--r-- | drivers/isdn/hardware/mISDN/avmfritz.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/isdn/hardware/mISDN/avmfritz.c b/drivers/isdn/hardware/mISDN/avmfritz.c index 05ed4d0c..c0b8c96 100644 --- a/drivers/isdn/hardware/mISDN/avmfritz.c +++ b/drivers/isdn/hardware/mISDN/avmfritz.c @@ -891,7 +891,7 @@ open_bchannel(struct fritzcard *fc, struct channel_req *rq) { struct bchannel *bch; - if (rq->adr.channel > 2) + if (rq->adr.channel == 0 || rq->adr.channel > 2) return -EINVAL; if (rq->protocol == ISDN_P_NONE) return -EINVAL; |