Skip to content

Commit

Permalink
irda: off by one
Browse files Browse the repository at this point in the history 
This is an off by one.  We would go past the end when we NUL terminate
the "value" string at end of the function.  The "value" buffer is
allocated in irlan_client_parse_response() or
irlan_provider_parse_command().

CC: stable@kernel.org
Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
  • Loading branch information
@error27 @davem330
error27 authored and davem330 committed Sep 7, 2010
1 parent 89b12fa commit cf9b94f
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion net/irda/irlan/irlan_common.c
View file
Expand Up @@ -1102,7 +1102,7 @@ int irlan_extract_param(__u8 *buf, char *name, char *value, __u16 *len)
memcpy(&val_len, buf+n, 2); /* To avoid alignment problems */
le16_to_cpus(&val_len); n+=2;

if (val_len > 1016) {
if (val_len >= 1016) {
IRDA_DEBUG(2, "%s(), parameter length to long\n", __func__ );
return -RSP_INVALID_COMMAND_FORMAT;
}
Expand Down

0 comments on commit cf9b94f

Please sign in to comment.