[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <87mw06egrg.fsf@rasmusvillemoes.dk>
Date: Thu, 11 Jun 2015 11:28:03 +0200
From: Rasmus Villemoes <linux@...musvillemoes.dk>
To: Dan Carpenter <dan.carpenter@...cle.com>
Cc: linux-kernel@...r.kernel.org, Karsten Keil <isdn@...ux-pingi.de>,
netdev@...r.kernel.org
Subject: Re: isdn: pcbit: another off-by-one issue?
[adding some emails I should Cc'ed in the first place]
On Thu, Jun 11 2015, Dan Carpenter <dan.carpenter@...cle.com> wrote:
> On Wed, Jun 10, 2015 at 09:50:53PM +0200, Rasmus Villemoes wrote:
>> Hi Dan
>>
>> You were last to touch drivers/isdn/pcbit/drv.c (7bcc6738eef), but I
>> think there may still be an off-by-one in pcbit_set_msn: At the end of
>> the loop, sp is incremented by len, but if the string contained a comma,
>> sp will now point at that. At that point, we seem to be stuck in an
>> infinite loop where we'll always get cp==sp and len==0, until we run out
>> of memory.
>>
>> Am I reading this completely wrong?
>
> Nope. You're right. That bug has been there since before the start of
> git. We could fix it by doing:
>
> diff --git a/drivers/isdn/pcbit/drv.c b/drivers/isdn/pcbit/drv.c
> index 4172e22..b156d5b 100644
> --- a/drivers/isdn/pcbit/drv.c
> +++ b/drivers/isdn/pcbit/drv.c
> @@ -1053,7 +1053,7 @@ static void pcbit_set_msn(struct pcbit_dev *dev, char *list)
> else
> back->next = ptr;
> back = ptr;
> - sp += len;
> + sp += len + 1;
> } while (cp);
> }
Yep, that's also what I would do.
Since nobody seems to have been hit by this ever, I wonder whether it's
stable@ material. It probably doesn't make sense to fix this without
also backporting 7bcc6738eef.
Rasmus
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists