Date: Thu, 3 Feb 2005 16:37:47 +0100
From: Karsten Keil <kkeil@suse.de>
To: Andrew Morton <akpm@osdl.org>
Cc: Linus Torvalds <torvalds@osdl.org>, linux-kernel@vger.kernel.org,
       Oskar Senft <oskar.senft@gmx.de>
Subject: ISDN4Linux Bug in isdnhdlc.c
Message-ID: <20050203153747.GB6990@pingi3.kke.suse.de>
Mail-Followup-To: Andrew Morton <akpm@osdl.org>,
	Linus Torvalds <torvalds@osdl.org>, linux-kernel@vger.kernel.org,
	Oskar Senft <oskar.senft@gmx.de>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Organization: SuSE Linux AG
User-Agent: Mutt/1.5.6i
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1144
Lines: 38

Hi,

Oskar found a critical bug in isdnhdlc.c, please
apply this simple fix to next versions.


From: Oskar Senft <oskar.senft@gmx.de>

isdnhdlc_decode is called multiple times for bigger frames, so
decrementing dsize is a bad idea and can cause a overflow of
the dst buffer.


Signed-off-by: Karsten Keil <kkeil@suse.de>

diff -ur linux-2.6.11-rc2.org/drivers/isdn/hisax/isdnhdlc.c linux-2.6.11-rc2/drivers/isdn/hisax/isdnhdlc.c
--- linux-2.6.11-rc2.org/drivers/isdn/hisax/isdnhdlc.c	2004-11-23 15:53:25.000000000 +0100
+++ linux-2.6.11-rc2/drivers/isdn/hisax/isdnhdlc.c	2005-02-03 15:50:06.352137856 +0100
@@ -308,7 +308,7 @@
 				hdlc->crc = crc_ccitt_byte(hdlc->crc, hdlc->shift_reg);
 
 				// good byte received
-				if (dsize--) {
+				if (hdlc->dstpos < dsize) {
 					dst[hdlc->dstpos++] = hdlc->shift_reg;
 				} else {
 					// frame too long

-- 
Karsten Keil
SuSE Labs
ISDN development
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/