From be7a7411d63ccad165d66fe8e0b11b2ee336159b Mon Sep 17 00:00:00 2001 From: Ken Mills Date: Mon, 13 Dec 2010 15:27:27 +0000 Subject: n_gsm: Fix message length handling when building header Fix message length handling when building header When the message length is greater than 127, the length field in the header is built incorrectly. According to the spec, when the length is less than 128 the length field is a single byte formatted as: bbbbbbb1. When it is greater than 127 then the field is two bytes of the format: bbbbbbb0 bbbbbbbb. Signed-off-by: Ken Mills Signed-off-by: Alan Cox Cc: stable@kernel.org Signed-off-by: Greg Kroah-Hartman diff --git a/drivers/tty/n_gsm.c b/drivers/tty/n_gsm.c index 81b4658..2fc5cf2 100644 --- a/drivers/tty/n_gsm.c +++ b/drivers/tty/n_gsm.c @@ -716,8 +716,8 @@ static void __gsm_data_queue(struct gsm_dlci *dlci, struct gsm_msg *msg) if (msg->len < 128) *--dp = (msg->len << 1) | EA; else { - *--dp = ((msg->len & 127) << 1) | EA; - *--dp = (msg->len >> 6) & 0xfe; + *--dp = (msg->len >> 7); /* bits 7 - 15 */ + *--dp = (msg->len & 127) << 1; /* bits 0 - 6 */ } } -- cgit v0.10.2 From 093d804611b9a38fe59753b37c29f840518406a9 Mon Sep 17 00:00:00 2001 From: Ken Mills Date: Mon, 13 Dec 2010 15:28:03 +0000 Subject: n_gsm: gsm_data_alloc buffer allocation could fail and it is not being checked gsm_data_alloc buffer allocation could fail and it is not being checked. Add check for allocated buffer and return if the buffer allocation fails. Signed-off-by: Ken Mills Signed-off-by: Alan Cox Cc: stable@kernel.org Signed-off-by: Greg Kroah-Hartman diff --git a/drivers/tty/n_gsm.c b/drivers/tty/n_gsm.c index 2fc5cf2..c5f8e5b 100644 --- a/drivers/tty/n_gsm.c +++ b/drivers/tty/n_gsm.c @@ -968,6 +968,8 @@ static void gsm_control_reply(struct gsm_mux *gsm, int cmd, u8 *data, { struct gsm_msg *msg; msg = gsm_data_alloc(gsm, 0, dlen + 2, gsm->ftype); + if (msg == NULL) + return; msg->data[0] = (cmd & 0xFE) << 1 | EA; /* Clear C/R */ msg->data[1] = (dlen << 1) | EA; memcpy(msg->data + 2, data, dlen); -- cgit v0.10.2