[PATCH] Overrun in isdn_tty.c
authorEric Sesterhenn <snakebyte@gmx.de>
Sat, 20 May 2006 22:00:12 +0000 (15:00 -0700)
committerLinus Torvalds <torvalds@g5.osdl.org>
Sun, 21 May 2006 19:59:18 +0000 (12:59 -0700)
This fixes coverity bug id #1237.  After the while loop, it is possible for
i == ISDN_LMSNLEN.  If this happens the terminating '\0' is written after
the end of the array.

Signed-off-by: Eric Sesterhenn <snakebyte@gmx.de>
Cc: Karsten Keil <kkeil@suse.de>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
drivers/isdn/i4l/isdn_tty.c

index 3585fb1f334460ae69a3c24e32c0ee03d52def49..2ac90242d263714b7d6108a9005982ef660c02d7 100644 (file)
@@ -2880,7 +2880,7 @@ isdn_tty_cmd_ATand(char **p, modem_info * info)
                        p[0]++;
                        i = 0;
                        while (*p[0] && (strchr("0123456789,-*[]?;", *p[0])) &&
-                              (i < ISDN_LMSNLEN))
+                              (i < ISDN_LMSNLEN - 1))
                                m->lmsn[i++] = *p[0]++;
                        m->lmsn[i] = '\0';
                        break;