[PATCH] Overrun in isdn_tty.c

This fixes coverity bug id #1237. After the while loop, it is possible for i == ISDN_LMSNLEN. If this happens the terminating '\0' is written after the end of the array. Signed-off-by: N Eric Sesterhenn <snakebyte@gmx.de> Cc: Karsten Keil <kkeil@suse.de> Signed-off-by: N Andrew Morton <akpm@osdl.org> Signed-off-by: N Linus Torvalds <torvalds@osdl.org>

[PATCH] Overrun in isdn_tty.c
This fixes coverity bug id #1237. After the while loop, it is possible for i == ISDN_LMSNLEN. If this happens the terminating '\0' is written after the end of the array. Signed-off-by: N Eric Sesterhenn <snakebyte@gmx.de> Cc: Karsten Keil <kkeil@suse.de> Signed-off-by: N Andrew Morton <akpm@osdl.org> Signed-off-by: N Linus Torvalds <torvalds@osdl.org>
a6a61c54 · Eric Sesterhenn · Linus Torvalds · 92d1dbd2 · a6a61c54
隐藏空白更改
内联并排

Showing with 1 addition and 1 deletion

drivers/isdn/i4l/isdn_tty.c drivers/isdn/i4l/isdn_tty.c +1 -1

未找到文件。
--- a/drivers/isdn/i4l/isdn_tty.c
+++ b/drivers/isdn/i4l/isdn_tty.c
@@ -2880,7 +2880,7 @@ isdn_tty_cmd_ATand(char **p, modem_info * info)
 			p[0]++;
 			i = 0;
 			while (*p[0] && (strchr("0123456789,-*[]?;", *p[0])) &&
-			       (i < ISDN_LMSNLEN))
+			       (i < ISDN_LMSNLEN - 1))
 				m->lmsn[i++] = *p[0]++;
 			m->lmsn[i] = '\0';
 			break;