aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorEric Sesterhenn <snakebyte@gmx.de>2006-04-11 20:29:17 -0400
committerDavid S. Miller <davem@davemloft.net>2006-04-11 20:29:17 -0400
commit052bb88e180d010f7da7186e6f21eea3be82a903 (patch)
tree0f82c9cb4719f4d5874841bba9f08559cc4f2fe4
parent8db60bcf3021921e2d10d158641792d640e52fe8 (diff)
[ISDN]: Static overruns in drivers/isdn/i4l/isdn_ppp.c
Coverity found some static overruns in isdn_ppp.c (bug id #519) At several places slot is compared <0 and > ISDN_MAX_CHANNELS and then used to index ippp_table[ISDN_MAX_CHANNELS] A value of slot = ISDN_MAX_CHANNELS would run over the end of the array. Signed-off-by: Eric Sesterhenn <snakebyte@gmx.de> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--drivers/isdn/i4l/isdn_ppp.c20
1 files changed, 10 insertions, 10 deletions
diff --git a/drivers/isdn/i4l/isdn_ppp.c b/drivers/isdn/i4l/isdn_ppp.c
index a0927d1b7a0c..918742271c79 100644
--- a/drivers/isdn/i4l/isdn_ppp.c
+++ b/drivers/isdn/i4l/isdn_ppp.c
@@ -109,7 +109,7 @@ isdn_ppp_free(isdn_net_local * lp)
109{ 109{
110 struct ippp_struct *is; 110 struct ippp_struct *is;
111 111
112 if (lp->ppp_slot < 0 || lp->ppp_slot > ISDN_MAX_CHANNELS) { 112 if (lp->ppp_slot < 0 || lp->ppp_slot >= ISDN_MAX_CHANNELS) {
113 printk(KERN_ERR "%s: ppp_slot(%d) out of range\n", 113 printk(KERN_ERR "%s: ppp_slot(%d) out of range\n",
114 __FUNCTION__, lp->ppp_slot); 114 __FUNCTION__, lp->ppp_slot);
115 return 0; 115 return 0;
@@ -126,7 +126,7 @@ isdn_ppp_free(isdn_net_local * lp)
126 lp->netdev->pb->ref_ct--; 126 lp->netdev->pb->ref_ct--;
127 spin_unlock(&lp->netdev->pb->lock); 127 spin_unlock(&lp->netdev->pb->lock);
128#endif /* CONFIG_ISDN_MPP */ 128#endif /* CONFIG_ISDN_MPP */
129 if (lp->ppp_slot < 0 || lp->ppp_slot > ISDN_MAX_CHANNELS) { 129 if (lp->ppp_slot < 0 || lp->ppp_slot >= ISDN_MAX_CHANNELS) {
130 printk(KERN_ERR "%s: ppp_slot(%d) now invalid\n", 130 printk(KERN_ERR "%s: ppp_slot(%d) now invalid\n",
131 __FUNCTION__, lp->ppp_slot); 131 __FUNCTION__, lp->ppp_slot);
132 return 0; 132 return 0;
@@ -279,7 +279,7 @@ isdn_ppp_open(int min, struct file *file)
279 int slot; 279 int slot;
280 struct ippp_struct *is; 280 struct ippp_struct *is;
281 281
282 if (min < 0 || min > ISDN_MAX_CHANNELS) 282 if (min < 0 || min >= ISDN_MAX_CHANNELS)
283 return -ENODEV; 283 return -ENODEV;
284 284
285 slot = isdn_ppp_get_slot(); 285 slot = isdn_ppp_get_slot();
@@ -1042,7 +1042,7 @@ isdn_ppp_push_higher(isdn_net_dev * net_dev, isdn_net_local * lp, struct sk_buff
1042 if (lp->master) { // FIXME? 1042 if (lp->master) { // FIXME?
1043 mlp = (isdn_net_local *) lp->master->priv; 1043 mlp = (isdn_net_local *) lp->master->priv;
1044 slot = mlp->ppp_slot; 1044 slot = mlp->ppp_slot;
1045 if (slot < 0 || slot > ISDN_MAX_CHANNELS) { 1045 if (slot < 0 || slot >= ISDN_MAX_CHANNELS) {
1046 printk(KERN_ERR "isdn_ppp_push_higher: master->ppp_slot(%d)\n", 1046 printk(KERN_ERR "isdn_ppp_push_higher: master->ppp_slot(%d)\n",
1047 lp->ppp_slot); 1047 lp->ppp_slot);
1048 goto drop_packet; 1048 goto drop_packet;
@@ -1264,7 +1264,7 @@ isdn_ppp_xmit(struct sk_buff *skb, struct net_device *netdev)
1264 /* we have our lp locked from now on */ 1264 /* we have our lp locked from now on */
1265 1265
1266 slot = lp->ppp_slot; 1266 slot = lp->ppp_slot;
1267 if (slot < 0 || slot > ISDN_MAX_CHANNELS) { 1267 if (slot < 0 || slot >= ISDN_MAX_CHANNELS) {
1268 printk(KERN_ERR "isdn_ppp_xmit: lp->ppp_slot(%d)\n", 1268 printk(KERN_ERR "isdn_ppp_xmit: lp->ppp_slot(%d)\n",
1269 lp->ppp_slot); 1269 lp->ppp_slot);
1270 kfree_skb(skb); 1270 kfree_skb(skb);
@@ -1603,7 +1603,7 @@ static void isdn_ppp_mp_receive(isdn_net_dev * net_dev, isdn_net_local * lp,
1603 mp = net_dev->pb; 1603 mp = net_dev->pb;
1604 stats = &mp->stats; 1604 stats = &mp->stats;
1605 slot = lp->ppp_slot; 1605 slot = lp->ppp_slot;
1606 if (slot < 0 || slot > ISDN_MAX_CHANNELS) { 1606 if (slot < 0 || slot >= ISDN_MAX_CHANNELS) {
1607 printk(KERN_ERR "%s: lp->ppp_slot(%d)\n", 1607 printk(KERN_ERR "%s: lp->ppp_slot(%d)\n",
1608 __FUNCTION__, lp->ppp_slot); 1608 __FUNCTION__, lp->ppp_slot);
1609 stats->frame_drops++; 1609 stats->frame_drops++;
@@ -1640,7 +1640,7 @@ static void isdn_ppp_mp_receive(isdn_net_dev * net_dev, isdn_net_local * lp,
1640 is->last_link_seqno = minseq = newseq; 1640 is->last_link_seqno = minseq = newseq;
1641 for (lpq = net_dev->queue;;) { 1641 for (lpq = net_dev->queue;;) {
1642 slot = lpq->ppp_slot; 1642 slot = lpq->ppp_slot;
1643 if (slot < 0 || slot > ISDN_MAX_CHANNELS) { 1643 if (slot < 0 || slot >= ISDN_MAX_CHANNELS) {
1644 printk(KERN_ERR "%s: lpq->ppp_slot(%d)\n", 1644 printk(KERN_ERR "%s: lpq->ppp_slot(%d)\n",
1645 __FUNCTION__, lpq->ppp_slot); 1645 __FUNCTION__, lpq->ppp_slot);
1646 } else { 1646 } else {
@@ -2648,7 +2648,7 @@ static void isdn_ppp_receive_ccp(isdn_net_dev *net_dev, isdn_net_local *lp,
2648 2648
2649 printk(KERN_DEBUG "Received CCP frame from peer slot(%d)\n", 2649 printk(KERN_DEBUG "Received CCP frame from peer slot(%d)\n",
2650 lp->ppp_slot); 2650 lp->ppp_slot);
2651 if (lp->ppp_slot < 0 || lp->ppp_slot > ISDN_MAX_CHANNELS) { 2651 if (lp->ppp_slot < 0 || lp->ppp_slot >= ISDN_MAX_CHANNELS) {
2652 printk(KERN_ERR "%s: lp->ppp_slot(%d) out of range\n", 2652 printk(KERN_ERR "%s: lp->ppp_slot(%d) out of range\n",
2653 __FUNCTION__, lp->ppp_slot); 2653 __FUNCTION__, lp->ppp_slot);
2654 return; 2654 return;
@@ -2658,7 +2658,7 @@ static void isdn_ppp_receive_ccp(isdn_net_dev *net_dev, isdn_net_local *lp,
2658 2658
2659 if(lp->master) { 2659 if(lp->master) {
2660 int slot = ((isdn_net_local *) (lp->master->priv))->ppp_slot; 2660 int slot = ((isdn_net_local *) (lp->master->priv))->ppp_slot;
2661 if (slot < 0 || slot > ISDN_MAX_CHANNELS) { 2661 if (slot < 0 || slot >= ISDN_MAX_CHANNELS) {
2662 printk(KERN_ERR "%s: slot(%d) out of range\n", 2662 printk(KERN_ERR "%s: slot(%d) out of range\n",
2663 __FUNCTION__, slot); 2663 __FUNCTION__, slot);
2664 return; 2664 return;
@@ -2845,7 +2845,7 @@ static void isdn_ppp_send_ccp(isdn_net_dev *net_dev, isdn_net_local *lp, struct
2845 2845
2846 if (lp->master) { 2846 if (lp->master) {
2847 slot = ((isdn_net_local *) (lp->master->priv))->ppp_slot; 2847 slot = ((isdn_net_local *) (lp->master->priv))->ppp_slot;
2848 if (slot < 0 || slot > ISDN_MAX_CHANNELS) { 2848 if (slot < 0 || slot >= ISDN_MAX_CHANNELS) {
2849 printk(KERN_ERR "%s: slot(%d) out of range\n", 2849 printk(KERN_ERR "%s: slot(%d) out of range\n",
2850 __FUNCTION__, slot); 2850 __FUNCTION__, slot);
2851 return; 2851 return;