summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDan Carpenter <dan.carpenter@oracle.com>2012-02-29 07:37:53 +0100
committerJohn W. Linville <linville@tuxdriver.com>2012-03-05 21:23:16 +0100
commite4e02da2ef01deb36aa80fce6ee0bc3e9725ffe8 (patch)
tree5ac64bf2c118cd9d9cb98bbd726e763ab70abd2a
parentrndis_wlan: make some variables unsigned (diff)
downloadlinux-e4e02da2ef01deb36aa80fce6ee0bc3e9725ffe8.tar.xz
linux-e4e02da2ef01deb36aa80fce6ee0bc3e9725ffe8.zip
rndis_wlan: prevent integer overflow in indication()
If we pick a high value for "offset" then it could lead to an integer overflow and we would get past the check for: if (offset + len > buflen) { ... Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Acked-by: Jussi Kivilinna <jussi.kivilinna@mbnet.fi> Signed-off-by: John W. Linville <linville@tuxdriver.com>
-rw-r--r--drivers/net/wireless/rndis_wlan.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/drivers/net/wireless/rndis_wlan.c b/drivers/net/wireless/rndis_wlan.c
index 454f2f182342..ce138d846193 100644
--- a/drivers/net/wireless/rndis_wlan.c
+++ b/drivers/net/wireless/rndis_wlan.c
@@ -3043,7 +3043,7 @@ static void rndis_wlan_media_specific_indication(struct usbnet *usbdev,
struct rndis_indicate *msg, int buflen)
{
struct ndis_80211_status_indication *indication;
- int len, offset;
+ unsigned int len, offset;
offset = offsetof(struct rndis_indicate, status) +
le32_to_cpu(msg->offset);
@@ -3055,7 +3055,7 @@ static void rndis_wlan_media_specific_indication(struct usbnet *usbdev,
return;
}
- if (offset + len > buflen) {
+ if (len > buflen || offset > buflen || offset + len > buflen) {
netdev_info(usbdev->net, "media specific indication, too large to fit to buffer (%i > %i)\n",
offset + len, buflen);
return;