Commit d49452ab authored by Oskar Senft's avatar Oskar Senft Committed by Linus Torvalds

[PATCH] Fix ISDN4Linux bug in isdnhdlc.c

isdnhdlc_decode is called multiple times for bigger frames, so
decrementing dsize is a bad idea and can cause a overflow of
the dst buffer.
Signed-off-by: default avatarKarsten Keil <kkeil@suse.de>
Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
parent d27b54cc
...@@ -308,7 +308,7 @@ int isdnhdlc_decode (struct isdnhdlc_vars *hdlc, const unsigned char *src, ...@@ -308,7 +308,7 @@ int isdnhdlc_decode (struct isdnhdlc_vars *hdlc, const unsigned char *src,
hdlc->crc = crc_ccitt_byte(hdlc->crc, hdlc->shift_reg); hdlc->crc = crc_ccitt_byte(hdlc->crc, hdlc->shift_reg);
// good byte received // good byte received
if (dsize--) { if (hdlc->dstpos < dsize) {
dst[hdlc->dstpos++] = hdlc->shift_reg; dst[hdlc->dstpos++] = hdlc->shift_reg;
} else { } else {
// frame too long // frame too long
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment