• D
    irda: small read past the end of array in debug code · e15465e1
    Dan Carpenter 提交于
    The "reason" can come from skb->data[] and it hasn't been capped so it
    can be from 0-255 instead of just 0-6.  For example in irlmp_state_dtr()
    the code does:
    
    	reason = skb->data[3];
    	...
    	irlmp_disconnect_indication(self, reason, skb);
    
    Also LMREASON has a couple other values which don't have entries in the
    irlmp_reasons[] array.  And 0xff is a valid reason as well which means
    "unknown".
    
    So far as I can see we don't actually care about "reason" except for in
    the debug code.
    Signed-off-by: NDan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: NDavid S. Miller <davem@davemloft.net>
    e15465e1
irlmp.c 54.5 KB