From c101cff9010083a8796353a75673fd100b077b79 Mon Sep 17 00:00:00 2001 From: Dan Carpenter Date: Sun, 1 Feb 2015 23:54:25 +0300 Subject: isdn: off by one in connect_res() The bug here is that we use "Reject" as the index into the cau_t[] array in the else path. Since the cau_t[] has 9 elements if Reject == 9 then we are reading beyond the end of the array. My understanding of the code is that it's saying that if Reject is 1 or too high then that's invalid and we should hang up. Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller --- drivers/isdn/hardware/eicon/message.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'drivers/isdn/hardware') diff --git a/drivers/isdn/hardware/eicon/message.c b/drivers/isdn/hardware/eicon/message.c index 0b380603a578..d7c286656a25 100644 --- a/drivers/isdn/hardware/eicon/message.c +++ b/drivers/isdn/hardware/eicon/message.c @@ -1474,7 +1474,7 @@ static byte connect_res(dword Id, word Number, DIVA_CAPI_ADAPTER *a, add_ai(plci, &parms[5]); sig_req(plci, REJECT, 0); } - else if (Reject == 1 || Reject > 9) + else if (Reject == 1 || Reject >= 9) { add_ai(plci, &parms[5]); sig_req(plci, HANGUP, 0); -- cgit v1.2.3