isdn/capi: prevent index overrun from command_2_index()

The result of the function command_2_index() is used to index two
arrays mnames[] and cpars[] with max. index 0x4e but in its current
form that function can produce results up to 3*(0x9+0x9)+0x7f =
0xb5.
Fix by clamping all result values potentially overrunning the arrays
to zero which is already handled as an invalid value.

Re-spotted with Coverity.

Signed-off-by: Tilman Schmidt <tilman@imap.cc>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/drivers/isdn/capi/capiutil.c b/drivers/isdn/capi/capiutil.c
index 4073d16..b501d76 100644 (file)
--- a/drivers/isdn/capi/capiutil.c
+++ b/drivers/isdn/capi/capiutil.c
@@ -207,6 +207,8 @@ static unsigned command_2_index(unsigned c, unsigned sc)
                c = 0x9 + (c & 0x0f);
        else if (c == 0x41)
                c = 0x9 + 0x1;
+       if (c > 0x18)
+               c = 0x00;
        return (sc & 3) * (0x9 + 0x9) + c;
 }