[adding some emails I should Cc'ed in the first place] On Thu, Jun 11 2015, Dan Carpenter <dan.carpen...@oracle.com> wrote:
> On Wed, Jun 10, 2015 at 09:50:53PM +0200, Rasmus Villemoes wrote: >> Hi Dan >> >> You were last to touch drivers/isdn/pcbit/drv.c (7bcc6738eef), but I >> think there may still be an off-by-one in pcbit_set_msn: At the end of >> the loop, sp is incremented by len, but if the string contained a comma, >> sp will now point at that. At that point, we seem to be stuck in an >> infinite loop where we'll always get cp==sp and len==0, until we run out >> of memory. >> >> Am I reading this completely wrong? > > Nope. You're right. That bug has been there since before the start of > git. We could fix it by doing: > > diff --git a/drivers/isdn/pcbit/drv.c b/drivers/isdn/pcbit/drv.c > index 4172e22..b156d5b 100644 > --- a/drivers/isdn/pcbit/drv.c > +++ b/drivers/isdn/pcbit/drv.c > @@ -1053,7 +1053,7 @@ static void pcbit_set_msn(struct pcbit_dev *dev, char > *list) > else > back->next = ptr; > back = ptr; > - sp += len; > + sp += len + 1; > } while (cp); > } Yep, that's also what I would do. Since nobody seems to have been hit by this ever, I wonder whether it's stable@ material. It probably doesn't make sense to fix this without also backporting 7bcc6738eef. Rasmus -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
