From a6a61c5494145c904bead0cceadd94080bd3a784 Mon Sep 17 00:00:00 2001 From: Eric Sesterhenn Date: Sat, 20 May 2006 15:00:12 -0700 Subject: [PATCH] Overrun in isdn_tty.c This fixes coverity bug id #1237. After the while loop, it is possible for i == ISDN_LMSNLEN. If this happens the terminating '\0' is written after the end of the array. Signed-off-by: Eric Sesterhenn Cc: Karsten Keil Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- drivers/isdn/i4l/isdn_tty.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'drivers') diff --git a/drivers/isdn/i4l/isdn_tty.c b/drivers/isdn/i4l/isdn_tty.c index 3585fb1..2ac9024 100644 --- a/drivers/isdn/i4l/isdn_tty.c +++ b/drivers/isdn/i4l/isdn_tty.c @@ -2880,7 +2880,7 @@ isdn_tty_cmd_ATand(char **p, modem_info * info) p[0]++; i = 0; while (*p[0] && (strchr("0123456789,-*[]?;", *p[0])) && - (i < ISDN_LMSNLEN)) + (i < ISDN_LMSNLEN - 1)) m->lmsn[i++] = *p[0]++; m->lmsn[i] = '\0'; break; -- cgit v1.1