Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1753450AbbFKJ22 (ORCPT <rfc822;w@1wt.eu>);
	Thu, 11 Jun 2015 05:28:28 -0400
Received: from mail-lb0-f173.google.com ([209.85.217.173]:33786 "EHLO
	mail-lb0-f173.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752772AbbFKJ2G (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Thu, 11 Jun 2015 05:28:06 -0400
From: Rasmus Villemoes <linux@rasmusvillemoes.dk>
To: Dan Carpenter <dan.carpenter@oracle.com>
Cc: linux-kernel@vger.kernel.org, Karsten Keil <isdn@linux-pingi.de>,
        netdev@vger.kernel.org
Subject: Re: isdn: pcbit: another off-by-one issue?
Organization: D03
References: <87381zqr4y.fsf@rasmusvillemoes.dk>
	<20150611075852.GE11734@mwanda>
X-Hashcash: 1:20:150611:dan.carpenter@oracle.com::o1gjdgrkbM87KQkB:00000000000000000000000000000000000003xaJ
X-Hashcash: 1:20:150611:linux-kernel@vger.kernel.org::7K3v+lLvWeR5mJYf:0000000000000000000000000000000006RbJ
Date: Thu, 11 Jun 2015 11:28:03 +0200
In-Reply-To: <20150611075852.GE11734@mwanda> (Dan Carpenter's message of "Thu,
	11 Jun 2015 10:58:52 +0300")
Message-ID: <87mw06egrg.fsf@rasmusvillemoes.dk>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1567
Lines: 44

[adding some emails I should Cc'ed in the first place]

On Thu, Jun 11 2015, Dan Carpenter <dan.carpenter@oracle.com> wrote:

> On Wed, Jun 10, 2015 at 09:50:53PM +0200, Rasmus Villemoes wrote:
>> Hi Dan
>> 
>> You were last to touch drivers/isdn/pcbit/drv.c (7bcc6738eef), but I
>> think there may still be an off-by-one in pcbit_set_msn: At the end of
>> the loop, sp is incremented by len, but if the string contained a comma,
>> sp will now point at that. At that point, we seem to be stuck in an
>> infinite loop where we'll always get cp==sp and len==0, until we run out
>> of memory.
>> 
>> Am I reading this completely wrong?
>
> Nope.  You're right.  That bug has been there since before the start of
> git.  We could fix it by doing:
>
> diff --git a/drivers/isdn/pcbit/drv.c b/drivers/isdn/pcbit/drv.c
> index 4172e22..b156d5b 100644
> --- a/drivers/isdn/pcbit/drv.c
> +++ b/drivers/isdn/pcbit/drv.c
> @@ -1053,7 +1053,7 @@ static void pcbit_set_msn(struct pcbit_dev *dev, char *list)
>  		else
>  			back->next = ptr;
>  		back = ptr;
> -		sp += len;
> +		sp += len + 1;
>  	} while (cp);
>  }

Yep, that's also what I would do. 

Since nobody seems to have been hit by this ever, I wonder whether it's
stable@ material. It probably doesn't make sense to fix this without
also backporting 7bcc6738eef.

Rasmus
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/