From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752210AbbFJTvH (ORCPT <rfc822;w@1wt.eu>);
	Wed, 10 Jun 2015 15:51:07 -0400
Received: from mail-la0-f41.google.com ([209.85.215.41]:33799 "EHLO
	mail-la0-f41.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1750734AbbFJTu5 (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Wed, 10 Jun 2015 15:50:57 -0400
From: Rasmus Villemoes <linux@rasmusvillemoes.dk>
To: Dan Carpenter <dan.carpenter@oracle.com>
Cc: linux-kernel@vger.kernel.org
Subject: isdn: pcbit: another off-by-one issue?
Organization: D03
Date: Wed, 10 Jun 2015 21:50:53 +0200
Message-ID: <87381zqr4y.fsf@rasmusvillemoes.dk>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hi Dan

You were last to touch drivers/isdn/pcbit/drv.c (7bcc6738eef), but I
think there may still be an off-by-one in pcbit_set_msn: At the end of
the loop, sp is incremented by len, but if the string contained a comma,
sp will now point at that. At that point, we seem to be stuck in an
infinite loop where we'll always get cp==sp and len==0, until we run out
of memory.

Am I reading this completely wrong?

Rasmus