If l == 12 then later we subtract 12 leaving zero. We do a zero size
allocation, so "dbgline" points to the ZERO_SIZE_PTR. It leads to an
oops when we set the NUL terminator:
dbgline[3 * l - 1] = '\0';
Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
---
Static analysis stuff.
diff --git a/drivers/isdn/gigaset/capi.c b/drivers/isdn/gigaset/capi.c
index 68452b7..0d34325 100644
--- a/drivers/isdn/gigaset/capi.c
+++ b/drivers/isdn/gigaset/capi.c
@@ -239,7 +239,7 @@ static inline void dump_rawmsg(enum debuglevel level, const char *tag,
return;
l = CAPIMSG_LEN(data);
- if (l < 12) {
+ if (l <= 12) {
gig_dbg(level, "%s: ??? LEN=%04d", tag, l);
return;
}
--
To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
