From: Tilman Schmidt <tilman@imap.cc>
Date: Tue, 16 Mar 2010 07:04:01 +0000 (+0000)
Subject: gigaset: correct range checking off by one error
X-Git-Tag: firefly_0821_release~9833^2~2199^2~228
X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=6ad34145cf809384359fe513481d6e16638a57a3;p=firefly-linux-kernel-4.4.55.git

gigaset: correct range checking off by one error

Correct a potential array overrun due to an off by one error in the
range check on the CAPI CONNECT_REQ CIPValue parameter.
Found and reported by Dan Carpenter using smatch.

Impact: bugfix
Signed-off-by: Tilman Schmidt <tilman@imap.cc>
Signed-off-by: David S. Miller <davem@davemloft.net>
---

diff --git a/drivers/isdn/gigaset/capi.c b/drivers/isdn/gigaset/capi.c
index 4a31962ddf71..0220c19351d9 100644
--- a/drivers/isdn/gigaset/capi.c
+++ b/drivers/isdn/gigaset/capi.c
@@ -1301,7 +1301,7 @@ static void do_connect_req(struct gigaset_capi_ctr *iif,
 	}
 
 	/* check parameter: CIP Value */
-	if (cmsg->CIPValue > ARRAY_SIZE(cip2bchlc) ||
+	if (cmsg->CIPValue >= ARRAY_SIZE(cip2bchlc) ||
 	    (cmsg->CIPValue > 0 && cip2bchlc[cmsg->CIPValue].bc == NULL)) {
 		dev_notice(cs->dev, "%s: unknown CIP value %d\n",
 			   "CONNECT_REQ", cmsg->CIPValue);