From 819a100846295461bc0f1bfcb8e5ab11c1bc4cdb Mon Sep 17 00:00:00 2001 From: Dan Carpenter Date: Mon, 26 Mar 2012 21:20:48 +0000 Subject: mISDN: array underflow in open_bchannel() There are two channels here. User space starts counting channels at one but in the kernel we start at zero. If the user passes in a zero channel that's invalid and could lead to memory corruption. Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller --- drivers/isdn/hardware/mISDN/mISDNisar.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'drivers/isdn/hardware/mISDN/mISDNisar.c') diff --git a/drivers/isdn/hardware/mISDN/mISDNisar.c b/drivers/isdn/hardware/mISDN/mISDNisar.c index 10446ab404b5..9a6da6edcfa8 100644 --- a/drivers/isdn/hardware/mISDN/mISDNisar.c +++ b/drivers/isdn/hardware/mISDN/mISDNisar.c @@ -1670,7 +1670,7 @@ isar_open(struct isar_hw *isar, struct channel_req *rq) { struct bchannel *bch; - if (rq->adr.channel > 2) + if (rq->adr.channel == 0 || rq->adr.channel > 2) return -EINVAL; if (rq->protocol == ISDN_P_NONE) return -EINVAL; -- cgit v1.2.3