• Dan Carpenter's avatar
    irda: small read past the end of array in debug code · e15465e1
    Dan Carpenter authored
    The "reason" can come from skb->data[] and it hasn't been capped so it
    can be from 0-255 instead of just 0-6.  For example in irlmp_state_dtr()
    the code does:
    	reason = skb->data[3];
    	irlmp_disconnect_indication(self, reason, skb);
    Also LMREASON has a couple other values which don't have entries in the
    irlmp_reasons[] array.  And 0xff is a valid reason as well which means
    So far as I can see we don't actually care about "reason" except for in
    the debug code.
    Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
irlmp.h 8.89 KB