Skip to content

Commit

Permalink
mISDN: array underflow in open_bchannel()
Browse files Browse the repository at this point in the history 
There are two channels here.  User space starts counting channels at one
but in the kernel we start at zero.  If the user passes in a zero
channel that's invalid and could lead to memory corruption.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
  • Loading branch information
Dan Carpenter authored and David S. Miller committed Mar 28, 2012
1 parent c54e9bd commit 819a100
Show file tree
Hide file tree
Showing 7 changed files with 7 additions and 7 deletions.
2 changes: 1 addition & 1 deletion drivers/isdn/hardware/mISDN/avmfritz.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -891,7 +891,7 @@ open_bchannel(struct fritzcard *fc, struct channel_req *rq)
{
struct bchannel *bch;

if (rq->adr.channel > 2)
if (rq->adr.channel == 0 || rq->adr.channel > 2)
return -EINVAL;
if (rq->protocol == ISDN_P_NONE)
return -EINVAL;
Expand Down
2 changes: 1 addition & 1 deletion drivers/isdn/hardware/mISDN/hfcpci.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1962,7 +1962,7 @@ open_bchannel(struct hfc_pci *hc, struct channel_req *rq)
{
struct bchannel *bch;

if (rq->adr.channel > 2)
if (rq->adr.channel == 0 || rq->adr.channel > 2)
return -EINVAL;
if (rq->protocol == ISDN_P_NONE)
return -EINVAL;
Expand Down
2 changes: 1 addition & 1 deletion drivers/isdn/hardware/mISDN/hfcsusb.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -486,7 +486,7 @@ open_bchannel(struct hfcsusb *hw, struct channel_req *rq)
{
struct bchannel *bch;

if (rq->adr.channel > 2)
if (rq->adr.channel == 0 || rq->adr.channel > 2)
return -EINVAL;
if (rq->protocol == ISDN_P_NONE)
return -EINVAL;
Expand Down
2 changes: 1 addition & 1 deletion drivers/isdn/hardware/mISDN/mISDNipac.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1506,7 +1506,7 @@ open_bchannel(struct ipac_hw *ipac, struct channel_req *rq)
{
struct bchannel *bch;

if (rq->adr.channel > 2)
if (rq->adr.channel == 0 || rq->adr.channel > 2)
return -EINVAL;
if (rq->protocol == ISDN_P_NONE)
return -EINVAL;
Expand Down
2 changes: 1 addition & 1 deletion drivers/isdn/hardware/mISDN/mISDNisar.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1670,7 +1670,7 @@ isar_open(struct isar_hw *isar, struct channel_req *rq)
{
struct bchannel *bch;

if (rq->adr.channel > 2)
if (rq->adr.channel == 0 || rq->adr.channel > 2)
return -EINVAL;
if (rq->protocol == ISDN_P_NONE)
return -EINVAL;
Expand Down
2 changes: 1 addition & 1 deletion drivers/isdn/hardware/mISDN/netjet.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -860,7 +860,7 @@ open_bchannel(struct tiger_hw *card, struct channel_req *rq)
{
struct bchannel *bch;

if (rq->adr.channel > 2)
if (rq->adr.channel == 0 || rq->adr.channel > 2)
return -EINVAL;
if (rq->protocol == ISDN_P_NONE)
return -EINVAL;
Expand Down
2 changes: 1 addition & 1 deletion drivers/isdn/hardware/mISDN/w6692.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1015,7 +1015,7 @@ open_bchannel(struct w6692_hw *card, struct channel_req *rq)
{
struct bchannel *bch;

if (rq->adr.channel > 2)
if (rq->adr.channel == 0 || rq->adr.channel > 2)
return -EINVAL;
if (rq->protocol == ISDN_P_NONE)
return -EINVAL;
Expand Down

0 comments on commit 819a100

Please sign in to comment.