[patch] atm: iphase: off by one in rx_pkt()

[patch] atm: iphase: off by one in rx_pkt()

[Dan Carpenter]

The iadev->rx_open[] array holds "iadev->num_vc" pointers (this code
assumes that pointers are 32 bits).  So the > here should be >= or else
we could end up reading a garbage pointer from one element beyond the
end of the array.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

diff --git a/drivers/atm/iphase.c b/drivers/atm/iphase.c
index 7d00f29..f86e318 100644
--- a/drivers/atm/iphase.c
+++ b/drivers/atm/iphase.c
@@ -1128,7 +1128,7 @@ static int rx_pkt(struct atm_dev *dev)
 	/* make the ptr point to the corresponding buffer desc entry */  
 	buf_desc_ptr += desc;	  
         if (!desc || (desc > iadev->num_rx_desc) || 
-                      ((buf_desc_ptr->vc_index & 0xffff) > iadev->num_vc)) { 
+                      ((buf_desc_ptr->vc_index & 0xffff) >= iadev->num_vc)) { 
             free_desc(dev, desc);
             IF_ERR(printk("IA: bad descriptor desc = %d \n", desc);)
             return -1;

Re: [patch] atm: iphase: off by one in rx_pkt()

[David Miller]

From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Fri, 27 May 2016 13:34:35 +0300

> The iadev->rx_open[] array holds "iadev->num_vc" pointers (this code
> assumes that pointers are 32 bits).  So the > here should be >= or else
> we could end up reading a garbage pointer from one element beyond the
> end of the array.
> 
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

Applied.