mISDN: array underflow in open_bchannel()
There are two channels here. User space starts counting channels at one but in the kernel we start at zero. If the user passes in a zero channel that's invalid and could lead to memory corruption. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Dan Carpenter
committed by
David S. Miller
David S. Miller
parent
c54e9bd38a
commit
819a100846
@@ -486,7 +486,7 @@ open_bchannel(struct hfcsusb *hw, struct channel_req *rq)
|
||||
{
|
||||
struct bchannel *bch;
|
||||
|
||||
if (rq->adr.channel > 2)
|
||||
if (rq->adr.channel == 0 || rq->adr.channel > 2)
|
||||
return -EINVAL;
|
||||
if (rq->protocol == ISDN_P_NONE)
|
||||
return -EINVAL;
|
||||
|
||||
Reference in New Issue
Block a user