gigaset: correct range checking off by one error

commit 6ad34145cf809384359fe513481d6e16638a57a3 upstream. Correct a potential array overrun due to an off by one error in the range check on the CAPI CONNECT_REQ CIPValue parameter. Found and reported by Dan Carpenter using smatch. Impact: bugfix Signed-off-by: Tilman Schmidt <tilman@imap.cc> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
author: Tilman Schmidt <tilman@imap.cc> 2010-03-16 03:04:01 -0400
committer: Greg Kroah-Hartman <gregkh@suse.de> 2010-04-01 19:01:28 -0400
commit: f3cfe648b427db8768a1039cfd201842ae8a4a1d (patch)
tree: 05eb38149d2b254fdde88b4cec91027624354c47 /drivers
parent: 9e08fc1695862878f05d2ae12e5c8fc004ca8f70 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/isdn/gigaset/capi.c b/drivers/isdn/gigaset/capi.c
index b7f2ebb50008..6b6c25d279be 100644
--- a/drivers/isdn/gigaset/capi.c
+++ b/drivers/isdn/gigaset/capi.c
@@ -1313,7 +1313,7 @@ static void do_connect_req(struct gigaset_capi_ctr *iif,
        }
        /* check parameter: CIP Value */
-        if (cmsg->CIPValue > ARRAY_SIZE(cip2bchlc) ||
+        if (cmsg->CIPValue >= ARRAY_SIZE(cip2bchlc) ||
            (cmsg->CIPValue > 0 && cip2bchlc[cmsg->CIPValue].bc == NULL)) {
                dev_notice(cs->dev, "%s: unknown CIP value %d\n",
                           "CONNECT_REQ", cmsg->CIPValue);
author	Tilman Schmidt <tilman@imap.cc>	2010-03-16 03:04:01 -0400
committer	Greg Kroah-Hartman <gregkh@suse.de>	2010-04-01 19:01:28 -0400
commit	f3cfe648b427db8768a1039cfd201842ae8a4a1d (patch)
tree	05eb38149d2b254fdde88b4cec91027624354c47 /drivers
parent	9e08fc1695862878f05d2ae12e5c8fc004ca8f70 (diff)

diff --git a/drivers/isdn/gigaset/capi.c b/drivers/isdn/gigaset/capi.c index b7f2ebb50008..6b6c25d279be 100644 --- a/drivers/isdn/gigaset/capi.c +++ b/drivers/isdn/gigaset/capi.c
@@ -1313,7 +1313,7 @@ static void do_connect_req(struct gigaset_capi_ctr *iif,
1313	}	1313	}
1314		1314
1315	/* check parameter: CIP Value */	1315	/* check parameter: CIP Value */
1316	if (cmsg->CIPValue > ARRAY_SIZE(cip2bchlc) \|\|	1316	if (cmsg->CIPValue >= ARRAY_SIZE(cip2bchlc) \|\|
1317	(cmsg->CIPValue > 0 && cip2bchlc[cmsg->CIPValue].bc == NULL)) {	1317	(cmsg->CIPValue > 0 && cip2bchlc[cmsg->CIPValue].bc == NULL)) {
1318	dev_notice(cs->dev, "%s: unknown CIP value %d\n",	1318	dev_notice(cs->dev, "%s: unknown CIP value %d\n",
1319	"CONNECT_REQ", cmsg->CIPValue);	1319	"CONNECT_REQ", cmsg->CIPValue);