On Wed, Jun 10, 2015 at 09:50:53PM +0200, Rasmus Villemoes wrote:
> Hi Dan
>
> You were last to touch drivers/isdn/pcbit/drv.c (7bcc6738eef), but I
> think there may still be an off-by-one in pcbit_set_msn: At the end of
> the loop, sp is incremented by len, but if the string contained a comma,
> sp will now point at that. At that point, we seem to be stuck in an
> infinite loop where we'll always get cp==sp and len==0, until we run out
> of memory.
>
> Am I reading this completely wrong?
Nope. You're right. That bug has been there since before the start of
git. We could fix it by doing:
diff --git a/drivers/isdn/pcbit/drv.c b/drivers/isdn/pcbit/drv.c
index 4172e22..b156d5b 100644
--- a/drivers/isdn/pcbit/drv.c
+++ b/drivers/isdn/pcbit/drv.c
@@ -1053,7 +1053,7 @@ static void pcbit_set_msn(struct pcbit_dev *dev, char
*list)
else
back->next = ptr;
back = ptr;
- sp += len;
+ sp += len + 1;
} while (cp);
}
regards,
dan carpenter
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
