Commit 819a1008 authored by Dan Carpenter's avatar Dan Carpenter Committed by David S. Miller

mISDN: array underflow in open_bchannel()

There are two channels here.  User space starts counting channels at one
but in the kernel we start at zero.  If the user passes in a zero
channel that's invalid and could lead to memory corruption.
Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent c54e9bd3
...@@ -891,7 +891,7 @@ open_bchannel(struct fritzcard *fc, struct channel_req *rq) ...@@ -891,7 +891,7 @@ open_bchannel(struct fritzcard *fc, struct channel_req *rq)
{ {
struct bchannel *bch; struct bchannel *bch;
if (rq->adr.channel > 2) if (rq->adr.channel == 0 || rq->adr.channel > 2)
return -EINVAL; return -EINVAL;
if (rq->protocol == ISDN_P_NONE) if (rq->protocol == ISDN_P_NONE)
return -EINVAL; return -EINVAL;
......
...@@ -1962,7 +1962,7 @@ open_bchannel(struct hfc_pci *hc, struct channel_req *rq) ...@@ -1962,7 +1962,7 @@ open_bchannel(struct hfc_pci *hc, struct channel_req *rq)
{ {
struct bchannel *bch; struct bchannel *bch;
if (rq->adr.channel > 2) if (rq->adr.channel == 0 || rq->adr.channel > 2)
return -EINVAL; return -EINVAL;
if (rq->protocol == ISDN_P_NONE) if (rq->protocol == ISDN_P_NONE)
return -EINVAL; return -EINVAL;
......
...@@ -486,7 +486,7 @@ open_bchannel(struct hfcsusb *hw, struct channel_req *rq) ...@@ -486,7 +486,7 @@ open_bchannel(struct hfcsusb *hw, struct channel_req *rq)
{ {
struct bchannel *bch; struct bchannel *bch;
if (rq->adr.channel > 2) if (rq->adr.channel == 0 || rq->adr.channel > 2)
return -EINVAL; return -EINVAL;
if (rq->protocol == ISDN_P_NONE) if (rq->protocol == ISDN_P_NONE)
return -EINVAL; return -EINVAL;
......
...@@ -1506,7 +1506,7 @@ open_bchannel(struct ipac_hw *ipac, struct channel_req *rq) ...@@ -1506,7 +1506,7 @@ open_bchannel(struct ipac_hw *ipac, struct channel_req *rq)
{ {
struct bchannel *bch; struct bchannel *bch;
if (rq->adr.channel > 2) if (rq->adr.channel == 0 || rq->adr.channel > 2)
return -EINVAL; return -EINVAL;
if (rq->protocol == ISDN_P_NONE) if (rq->protocol == ISDN_P_NONE)
return -EINVAL; return -EINVAL;
......
...@@ -1670,7 +1670,7 @@ isar_open(struct isar_hw *isar, struct channel_req *rq) ...@@ -1670,7 +1670,7 @@ isar_open(struct isar_hw *isar, struct channel_req *rq)
{ {
struct bchannel *bch; struct bchannel *bch;
if (rq->adr.channel > 2) if (rq->adr.channel == 0 || rq->adr.channel > 2)
return -EINVAL; return -EINVAL;
if (rq->protocol == ISDN_P_NONE) if (rq->protocol == ISDN_P_NONE)
return -EINVAL; return -EINVAL;
......
...@@ -860,7 +860,7 @@ open_bchannel(struct tiger_hw *card, struct channel_req *rq) ...@@ -860,7 +860,7 @@ open_bchannel(struct tiger_hw *card, struct channel_req *rq)
{ {
struct bchannel *bch; struct bchannel *bch;
if (rq->adr.channel > 2) if (rq->adr.channel == 0 || rq->adr.channel > 2)
return -EINVAL; return -EINVAL;
if (rq->protocol == ISDN_P_NONE) if (rq->protocol == ISDN_P_NONE)
return -EINVAL; return -EINVAL;
......
...@@ -1015,7 +1015,7 @@ open_bchannel(struct w6692_hw *card, struct channel_req *rq) ...@@ -1015,7 +1015,7 @@ open_bchannel(struct w6692_hw *card, struct channel_req *rq)
{ {
struct bchannel *bch; struct bchannel *bch;
if (rq->adr.channel > 2) if (rq->adr.channel == 0 || rq->adr.channel > 2)
return -EINVAL; return -EINVAL;
if (rq->protocol == ISDN_P_NONE) if (rq->protocol == ISDN_P_NONE)
return -EINVAL; return -EINVAL;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment