aboutsummaryrefslogtreecommitdiffstats
path: root/net/lapb/lapb_iface.c
diff options
context:
space:
mode:
authorDiego Calleja <diegocg@gmail.com>2006-08-06 00:15:58 -0400
committerDavid S. Miller <davem@davemloft.net>2006-08-06 00:15:58 -0400
commit558e10a57db10de355ee97712d2b6df49e9b7849 (patch)
tree96c2289644358c43e5154c33d5a511ad3f06c324 /net/lapb/lapb_iface.c
parentd254bcdbf2199d9e2a52dbe4592e79ef3a456096 (diff)
[LAPB]: Fix windowsize check
In bug #6954, Norbert Reinartz reported the following issue: "Function lapb_setparms() in file net/lapb/lapb_iface.c checks if the given parameters are valid. If the given window size is in the range of 8 .. 127, lapb_setparms() fails and returns an error value of LAPB_INVALUE, even if bit LAPB_EXTENDED in parms->mode is set. If bit LAPB_EXTENDED in parms->mode is set and the window size is in the range of 8 .. 127, the first check "(parms->mode & LAPB_EXTENDED)" results true and the second check "(parms->window < 1 || parms->window > 127)" results false. Both checks in conjunction result to false, thus the third check "(parms->window < 1 || parms->window > 7)" is done by fault. This third check results true, so that we leave lapb_setparms() by 'goto out_put'. Seems that this bug doesn't cause any problems, because lapb_setparms() isn't used to change the default values of LAPB. We are using kernel lapb in our software project and also change the default parameters of lapb, so we found this bug" He also pasted a fix, that I've transformated into a patch: Signed-off-by: Diego Calleja <diegocg@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/lapb/lapb_iface.c')
-rw-r--r--net/lapb/lapb_iface.c12
1 files changed, 7 insertions, 5 deletions
diff --git a/net/lapb/lapb_iface.c b/net/lapb/lapb_iface.c
index d504eed416f6..7e6bc41eeb21 100644
--- a/net/lapb/lapb_iface.c
+++ b/net/lapb/lapb_iface.c
@@ -238,11 +238,13 @@ int lapb_setparms(struct net_device *dev, struct lapb_parms_struct *parms)
238 goto out_put; 238 goto out_put;
239 239
240 if (lapb->state == LAPB_STATE_0) { 240 if (lapb->state == LAPB_STATE_0) {
241 if (((parms->mode & LAPB_EXTENDED) && 241 if (parms->mode & LAPB_EXTENDED) {
242 (parms->window < 1 || parms->window > 127)) || 242 if (parms->window < 1 || parms->window > 127)
243 (parms->window < 1 || parms->window > 7)) 243 goto out_put;
244 goto out_put; 244 } else {
245 245 if (parms->window < 1 || parms->window > 7)
246 goto out_put;
247 }
246 lapb->mode = parms->mode; 248 lapb->mode = parms->mode;
247 lapb->window = parms->window; 249 lapb->window = parms->window;
248 } 250 }