Date: Thu, 11 Jun 2015 10:58:52 +0300
From: Dan Carpenter <dan.carpenter@oracle.com>
To: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Cc: linux-kernel@vger.kernel.org
Subject: Re: isdn: pcbit: another off-by-one issue?
Message-ID: <20150611075852.GE11734@mwanda>
References: <87381zqr4y.fsf@rasmusvillemoes.dk>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <87381zqr4y.fsf@rasmusvillemoes.dk>
User-Agent: Mutt/1.5.21 (2010-09-15)
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1209
Lines: 36

On Wed, Jun 10, 2015 at 09:50:53PM +0200, Rasmus Villemoes wrote:
> Hi Dan
> 
> You were last to touch drivers/isdn/pcbit/drv.c (7bcc6738eef), but I
> think there may still be an off-by-one in pcbit_set_msn: At the end of
> the loop, sp is incremented by len, but if the string contained a comma,
> sp will now point at that. At that point, we seem to be stuck in an
> infinite loop where we'll always get cp==sp and len==0, until we run out
> of memory.
> 
> Am I reading this completely wrong?

Nope.  You're right.  That bug has been there since before the start of
git.  We could fix it by doing:

diff --git a/drivers/isdn/pcbit/drv.c b/drivers/isdn/pcbit/drv.c
index 4172e22..b156d5b 100644
--- a/drivers/isdn/pcbit/drv.c
+++ b/drivers/isdn/pcbit/drv.c
@@ -1053,7 +1053,7 @@ static void pcbit_set_msn(struct pcbit_dev *dev, char *list)
 		else
 			back->next = ptr;
 		back = ptr;
-		sp += len;
+		sp += len + 1;
 	} while (cp);
 }
 

regards,
dan carpenter
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/