Re: isdn: pcbit: another off-by-one issue?

[Dan Carpenter]

On Wed, Jun 10, 2015 at 09:50:53PM +0200, Rasmus Villemoes wrote:
> Hi Dan
> 
> You were last to touch drivers/isdn/pcbit/drv.c (7bcc6738eef), but I
> think there may still be an off-by-one in pcbit_set_msn: At the end of
> the loop, sp is incremented by len, but if the string contained a comma,
> sp will now point at that. At that point, we seem to be stuck in an
> infinite loop where we'll always get cp==sp and len==0, until we run out
> of memory.
> 
> Am I reading this completely wrong?

Nope.  You're right.  That bug has been there since before the start of
git.  We could fix it by doing:

diff --git a/drivers/isdn/pcbit/drv.c b/drivers/isdn/pcbit/drv.c
index 4172e22..b156d5b 100644
--- a/drivers/isdn/pcbit/drv.c
+++ b/drivers/isdn/pcbit/drv.c
@@ -1053,7 +1053,7 @@ static void pcbit_set_msn(struct pcbit_dev *dev, char *list)
 		else
 			back->next = ptr;
 		back = ptr;
-		sp += len;
+		sp += len + 1;
 	} while (cp);
 }
 

regards,
dan carpenter
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/