atm: iphase: off by one in rx_pkt()

The iadev->rx_open[] array holds "iadev->num_vc" pointers (this code assumes that pointers are 32 bits). So the > here should be >= or else we could end up reading a garbage pointer from one element beyond the end of the array. Signed-off-by: N Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: N David S. Miller <davem@davemloft.net>

atm: iphase: off by one in rx_pkt()
The iadev->rx_open[] array holds "iadev->num_vc" pointers (this code assumes that pointers are 32 bits). So the > here should be >= or else we could end up reading a garbage pointer from one element beyond the end of the array. Signed-off-by: N Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: N David S. Miller <davem@davemloft.net>
f2633d2e · Dan Carpenter · David S. Miller · 86f04396 · f2633d2e
隐藏空白更改
内联并排

Showing with 1 addition and 1 deletion

drivers/atm/iphase.c drivers/atm/iphase.c +1 -1

未找到文件。
--- a/drivers/atm/iphase.c
+++ b/drivers/atm/iphase.c
@@ -1128,7 +1128,7 @@ static int rx_pkt(struct atm_dev *dev)
 	/* make the ptr point to the corresponding buffer desc entry */  
 	buf_desc_ptr += desc;	  
        if (!desc || (desc > iadev->num_rx_desc) || 
-                      ((buf_desc_ptr->vc_index & 0xffff) > iadev->num_vc)) { 
+                      ((buf_desc_ptr->vc_index & 0xffff) >= iadev->num_vc)) {
            free_desc(dev, desc);
            IF_ERR(printk("IA: bad descriptor desc = %d \n", desc);)
            return -1;