[2.6 patch] drivers/isdn/i4l/isdn_common.c: fix array overflows

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Adrian Bunk <bunk@stusta.de>
To: kkeil@suse.de, kai.germaschewski@gmx.de
Cc: isdn4linux@listserv.isdn4linux.de, linux-kernel@vger.kernel.org
Subject: [2.6 patch] drivers/isdn/i4l/isdn_common.c: fix array overflows
Date: Tue, 15 Aug 2006 02:42:05 +0200	[thread overview]
Message-ID: <20060815004205.GG3543@stusta.de> (raw)

The Coverity checker spotted these guaranteed array overflows.

Please review whether my fix is correct.

Signed-off-by: Adrian Bunk <bunk@stusta.de>

---

 drivers/isdn/i4l/isdn_common.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- linux-2.6.18-rc4-mm1/drivers/isdn/i4l/isdn_common.c.old	2006-08-15 00:54:32.000000000 +0200
+++ linux-2.6.18-rc4-mm1/drivers/isdn/i4l/isdn_common.c	2006-08-15 01:02:17.000000000 +0200
@@ -1109,61 +1109,61 @@ isdn_read(struct file *file, char __user
 			retval = -ENOMEM;
 			goto out;
 		}
 		len = isdn_readbchan(drvidx, chidx, p, NULL, count,
 				     &dev->drv[drvidx]->rcv_waitq[chidx]);
 		*off += len;
 		if (copy_to_user(buf,p,len)) 
 			len = -EFAULT;
 		kfree(p);
 		retval = len;
 		goto out;
 	}
 	if (minor <= ISDN_MINOR_CTRLMAX) {
 		drvidx = isdn_minor2drv(minor - ISDN_MINOR_CTRL);
 		if (drvidx < 0) {
 			retval = -ENODEV;
 			goto out;
 		}
 		if (!dev->drv[drvidx]->stavail) {
 			if (file->f_flags & O_NONBLOCK) {
 				retval = -EAGAIN;
 				goto out;
 			}
 			interruptible_sleep_on(&(dev->drv[drvidx]->st_waitq));
 		}
 		if (dev->drv[drvidx]->interface->readstat) {
 			if (count > dev->drv[drvidx]->stavail)
 				count = dev->drv[drvidx]->stavail;
 			len = dev->drv[drvidx]->interface->
 				readstat(buf, count, drvidx,
-					 isdn_minor2chan(minor));
+					 isdn_minor2chan(minor - ISDN_MINOR_CTRL));
 		} else {
 			len = 0;
 		}
 		if (len)
 			dev->drv[drvidx]->stavail -= len;
 		else
 			dev->drv[drvidx]->stavail = 0;
 		*off += len;
 		retval = len;
 		goto out;
 	}
 #ifdef CONFIG_ISDN_PPP
 	if (minor <= ISDN_MINOR_PPPMAX) {
 		retval = isdn_ppp_read(minor - ISDN_MINOR_PPP, file, buf, count);
 		goto out;
 	}
 #endif
 	retval = -ENODEV;
  out:
 	unlock_kernel();
 	return retval;
 }
 
 static ssize_t
 isdn_write(struct file *file, const char __user *buf, size_t count, loff_t * off)
 {
 	uint minor = iminor(file->f_dentry->d_inode);
 	int drvidx;
 	int chidx;
 	int retval;
@@ -1177,61 +1177,61 @@ isdn_write(struct file *file, const char
 	if (minor <= ISDN_MINOR_BMAX) {
 		printk(KERN_WARNING "isdn_write minor %d obsolete!\n", minor);
 		drvidx = isdn_minor2drv(minor);
 		if (drvidx < 0) {
 			retval = -ENODEV;
 			goto out;
 		}
 		if (!(dev->drv[drvidx]->flags & DRV_FLAG_RUNNING)) {
 			retval = -ENODEV;
 			goto out;
 		}
 		chidx = isdn_minor2chan(minor);
 		while ((retval = isdn_writebuf_stub(drvidx, chidx, buf, count)) == 0)
 			interruptible_sleep_on(&dev->drv[drvidx]->snd_waitq[chidx]);
 		goto out;
 	}
 	if (minor <= ISDN_MINOR_CTRLMAX) {
 		drvidx = isdn_minor2drv(minor - ISDN_MINOR_CTRL);
 		if (drvidx < 0) {
 			retval = -ENODEV;
 			goto out;
 		}
 		/*
 		 * We want to use the isdnctrl device to load the firmware
 		 *
 		 if (!(dev->drv[drvidx]->flags & DRV_FLAG_RUNNING))
 		 return -ENODEV;
 		 */
 		if (dev->drv[drvidx]->interface->writecmd)
 			retval = dev->drv[drvidx]->interface->
-				writecmd(buf, count, drvidx, isdn_minor2chan(minor));
+				writecmd(buf, count, drvidx, isdn_minor2chan(minor - ISDN_MINOR_CTRL));
 		else
 			retval = count;
 		goto out;
 	}
 #ifdef CONFIG_ISDN_PPP
 	if (minor <= ISDN_MINOR_PPPMAX) {
 		retval = isdn_ppp_write(minor - ISDN_MINOR_PPP, file, buf, count);
 		goto out;
 	}
 #endif
 	retval = -ENODEV;
  out:
 	unlock_kernel();
 	return retval;
 }
 
 static unsigned int
 isdn_poll(struct file *file, poll_table * wait)
 {
 	unsigned int mask = 0;
 	unsigned int minor = iminor(file->f_dentry->d_inode);
 	int drvidx = isdn_minor2drv(minor - ISDN_MINOR_CTRL);
 
 	lock_kernel();
 	if (minor == ISDN_MINOR_STATUS) {
 		poll_wait(file, &(dev->info_waitq), wait);
 		/* mask = POLLOUT | POLLWRNORM; */
 		if (file->private_data) {
 			mask |= POLLIN | POLLRDNORM;
 		}

                 reply	other threads:[~2006-08-15  0:42 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20060815004205.GG3543@stusta.de \
    --to=bunk@stusta.de \
    --cc=isdn4linux@listserv.isdn4linux.de \
    --cc=kai.germaschewski@gmx.de \
    --cc=kkeil@suse.de \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox