diff options
| author | Eric Sesterhenn <snakebyte@gmx.de> | 2006-04-11 20:29:17 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2006-04-11 20:29:17 -0400 |
| commit | 052bb88e180d010f7da7186e6f21eea3be82a903 (patch) | |
| tree | 0f82c9cb4719f4d5874841bba9f08559cc4f2fe4 /drivers/isdn/i4l | |
| parent | 8db60bcf3021921e2d10d158641792d640e52fe8 (diff) | |
[ISDN]: Static overruns in drivers/isdn/i4l/isdn_ppp.c
Coverity found some static overruns in isdn_ppp.c (bug id #519) At several
places slot is compared <0 and > ISDN_MAX_CHANNELS and then used to index
ippp_table[ISDN_MAX_CHANNELS] A value of slot = ISDN_MAX_CHANNELS would run
over the end of the array.
Signed-off-by: Eric Sesterhenn <snakebyte@gmx.de>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'drivers/isdn/i4l')
| -rw-r--r-- | drivers/isdn/i4l/isdn_ppp.c | 20 |
1 files changed, 10 insertions, 10 deletions
diff --git a/drivers/isdn/i4l/isdn_ppp.c b/drivers/isdn/i4l/isdn_ppp.c index a0927d1b7a0c..918742271c79 100644 --- a/drivers/isdn/i4l/isdn_ppp.c +++ b/drivers/isdn/i4l/isdn_ppp.c | |||
| @@ -109,7 +109,7 @@ isdn_ppp_free(isdn_net_local * lp) | |||
| 109 | { | 109 | { |
| 110 | struct ippp_struct *is; | 110 | struct ippp_struct *is; |
| 111 | 111 | ||
| 112 | if (lp->ppp_slot < 0 || lp->ppp_slot > ISDN_MAX_CHANNELS) { | 112 | if (lp->ppp_slot < 0 || lp->ppp_slot >= ISDN_MAX_CHANNELS) { |
| 113 | printk(KERN_ERR "%s: ppp_slot(%d) out of range\n", | 113 | printk(KERN_ERR "%s: ppp_slot(%d) out of range\n", |
| 114 | __FUNCTION__, lp->ppp_slot); | 114 | __FUNCTION__, lp->ppp_slot); |
| 115 | return 0; | 115 | return 0; |
| @@ -126,7 +126,7 @@ isdn_ppp_free(isdn_net_local * lp) | |||
| 126 | lp->netdev->pb->ref_ct--; | 126 | lp->netdev->pb->ref_ct--; |
| 127 | spin_unlock(&lp->netdev->pb->lock); | 127 | spin_unlock(&lp->netdev->pb->lock); |
| 128 | #endif /* CONFIG_ISDN_MPP */ | 128 | #endif /* CONFIG_ISDN_MPP */ |
| 129 | if (lp->ppp_slot < 0 || lp->ppp_slot > ISDN_MAX_CHANNELS) { | 129 | if (lp->ppp_slot < 0 || lp->ppp_slot >= ISDN_MAX_CHANNELS) { |
| 130 | printk(KERN_ERR "%s: ppp_slot(%d) now invalid\n", | 130 | printk(KERN_ERR "%s: ppp_slot(%d) now invalid\n", |
| 131 | __FUNCTION__, lp->ppp_slot); | 131 | __FUNCTION__, lp->ppp_slot); |
| 132 | return 0; | 132 | return 0; |
| @@ -279,7 +279,7 @@ isdn_ppp_open(int min, struct file *file) | |||
| 279 | int slot; | 279 | int slot; |
| 280 | struct ippp_struct *is; | 280 | struct ippp_struct *is; |
| 281 | 281 | ||
| 282 | if (min < 0 || min > ISDN_MAX_CHANNELS) | 282 | if (min < 0 || min >= ISDN_MAX_CHANNELS) |
| 283 | return -ENODEV; | 283 | return -ENODEV; |
| 284 | 284 | ||
| 285 | slot = isdn_ppp_get_slot(); | 285 | slot = isdn_ppp_get_slot(); |
| @@ -1042,7 +1042,7 @@ isdn_ppp_push_higher(isdn_net_dev * net_dev, isdn_net_local * lp, struct sk_buff | |||
| 1042 | if (lp->master) { // FIXME? | 1042 | if (lp->master) { // FIXME? |
| 1043 | mlp = (isdn_net_local *) lp->master->priv; | 1043 | mlp = (isdn_net_local *) lp->master->priv; |
| 1044 | slot = mlp->ppp_slot; | 1044 | slot = mlp->ppp_slot; |
| 1045 | if (slot < 0 || slot > ISDN_MAX_CHANNELS) { | 1045 | if (slot < 0 || slot >= ISDN_MAX_CHANNELS) { |
| 1046 | printk(KERN_ERR "isdn_ppp_push_higher: master->ppp_slot(%d)\n", | 1046 | printk(KERN_ERR "isdn_ppp_push_higher: master->ppp_slot(%d)\n", |
| 1047 | lp->ppp_slot); | 1047 | lp->ppp_slot); |
| 1048 | goto drop_packet; | 1048 | goto drop_packet; |
| @@ -1264,7 +1264,7 @@ isdn_ppp_xmit(struct sk_buff *skb, struct net_device *netdev) | |||
| 1264 | /* we have our lp locked from now on */ | 1264 | /* we have our lp locked from now on */ |
| 1265 | 1265 | ||
| 1266 | slot = lp->ppp_slot; | 1266 | slot = lp->ppp_slot; |
| 1267 | if (slot < 0 || slot > ISDN_MAX_CHANNELS) { | 1267 | if (slot < 0 || slot >= ISDN_MAX_CHANNELS) { |
| 1268 | printk(KERN_ERR "isdn_ppp_xmit: lp->ppp_slot(%d)\n", | 1268 | printk(KERN_ERR "isdn_ppp_xmit: lp->ppp_slot(%d)\n", |
| 1269 | lp->ppp_slot); | 1269 | lp->ppp_slot); |
| 1270 | kfree_skb(skb); | 1270 | kfree_skb(skb); |
| @@ -1603,7 +1603,7 @@ static void isdn_ppp_mp_receive(isdn_net_dev * net_dev, isdn_net_local * lp, | |||
| 1603 | mp = net_dev->pb; | 1603 | mp = net_dev->pb; |
| 1604 | stats = &mp->stats; | 1604 | stats = &mp->stats; |
| 1605 | slot = lp->ppp_slot; | 1605 | slot = lp->ppp_slot; |
| 1606 | if (slot < 0 || slot > ISDN_MAX_CHANNELS) { | 1606 | if (slot < 0 || slot >= ISDN_MAX_CHANNELS) { |
| 1607 | printk(KERN_ERR "%s: lp->ppp_slot(%d)\n", | 1607 | printk(KERN_ERR "%s: lp->ppp_slot(%d)\n", |
| 1608 | __FUNCTION__, lp->ppp_slot); | 1608 | __FUNCTION__, lp->ppp_slot); |
| 1609 | stats->frame_drops++; | 1609 | stats->frame_drops++; |
| @@ -1640,7 +1640,7 @@ static void isdn_ppp_mp_receive(isdn_net_dev * net_dev, isdn_net_local * lp, | |||
| 1640 | is->last_link_seqno = minseq = newseq; | 1640 | is->last_link_seqno = minseq = newseq; |
| 1641 | for (lpq = net_dev->queue;;) { | 1641 | for (lpq = net_dev->queue;;) { |
| 1642 | slot = lpq->ppp_slot; | 1642 | slot = lpq->ppp_slot; |
| 1643 | if (slot < 0 || slot > ISDN_MAX_CHANNELS) { | 1643 | if (slot < 0 || slot >= ISDN_MAX_CHANNELS) { |
| 1644 | printk(KERN_ERR "%s: lpq->ppp_slot(%d)\n", | 1644 | printk(KERN_ERR "%s: lpq->ppp_slot(%d)\n", |
| 1645 | __FUNCTION__, lpq->ppp_slot); | 1645 | __FUNCTION__, lpq->ppp_slot); |
| 1646 | } else { | 1646 | } else { |
| @@ -2648,7 +2648,7 @@ static void isdn_ppp_receive_ccp(isdn_net_dev *net_dev, isdn_net_local *lp, | |||
| 2648 | 2648 | ||
| 2649 | printk(KERN_DEBUG "Received CCP frame from peer slot(%d)\n", | 2649 | printk(KERN_DEBUG "Received CCP frame from peer slot(%d)\n", |
| 2650 | lp->ppp_slot); | 2650 | lp->ppp_slot); |
| 2651 | if (lp->ppp_slot < 0 || lp->ppp_slot > ISDN_MAX_CHANNELS) { | 2651 | if (lp->ppp_slot < 0 || lp->ppp_slot >= ISDN_MAX_CHANNELS) { |
| 2652 | printk(KERN_ERR "%s: lp->ppp_slot(%d) out of range\n", | 2652 | printk(KERN_ERR "%s: lp->ppp_slot(%d) out of range\n", |
| 2653 | __FUNCTION__, lp->ppp_slot); | 2653 | __FUNCTION__, lp->ppp_slot); |
| 2654 | return; | 2654 | return; |
| @@ -2658,7 +2658,7 @@ static void isdn_ppp_receive_ccp(isdn_net_dev *net_dev, isdn_net_local *lp, | |||
| 2658 | 2658 | ||
| 2659 | if(lp->master) { | 2659 | if(lp->master) { |
| 2660 | int slot = ((isdn_net_local *) (lp->master->priv))->ppp_slot; | 2660 | int slot = ((isdn_net_local *) (lp->master->priv))->ppp_slot; |
| 2661 | if (slot < 0 || slot > ISDN_MAX_CHANNELS) { | 2661 | if (slot < 0 || slot >= ISDN_MAX_CHANNELS) { |
| 2662 | printk(KERN_ERR "%s: slot(%d) out of range\n", | 2662 | printk(KERN_ERR "%s: slot(%d) out of range\n", |
| 2663 | __FUNCTION__, slot); | 2663 | __FUNCTION__, slot); |
| 2664 | return; | 2664 | return; |
| @@ -2845,7 +2845,7 @@ static void isdn_ppp_send_ccp(isdn_net_dev *net_dev, isdn_net_local *lp, struct | |||
| 2845 | 2845 | ||
| 2846 | if (lp->master) { | 2846 | if (lp->master) { |
| 2847 | slot = ((isdn_net_local *) (lp->master->priv))->ppp_slot; | 2847 | slot = ((isdn_net_local *) (lp->master->priv))->ppp_slot; |
| 2848 | if (slot < 0 || slot > ISDN_MAX_CHANNELS) { | 2848 | if (slot < 0 || slot >= ISDN_MAX_CHANNELS) { |
| 2849 | printk(KERN_ERR "%s: slot(%d) out of range\n", | 2849 | printk(KERN_ERR "%s: slot(%d) out of range\n", |
| 2850 | __FUNCTION__, slot); | 2850 | __FUNCTION__, slot); |
| 2851 | return; | 2851 | return; |