diff options
author | Dan Carpenter <dan.carpenter@oracle.com> | 2012-02-29 07:37:53 +0100 |
---|---|---|
committer | John W. Linville <linville@tuxdriver.com> | 2012-03-05 21:23:16 +0100 |
commit | e4e02da2ef01deb36aa80fce6ee0bc3e9725ffe8 (patch) | |
tree | 5ac64bf2c118cd9d9cb98bbd726e763ab70abd2a | |
parent | rndis_wlan: make some variables unsigned (diff) | |
download | linux-e4e02da2ef01deb36aa80fce6ee0bc3e9725ffe8.tar.xz linux-e4e02da2ef01deb36aa80fce6ee0bc3e9725ffe8.zip |
rndis_wlan: prevent integer overflow in indication()
If we pick a high value for "offset" then it could lead to an integer
overflow and we would get past the check for:
if (offset + len > buflen) { ...
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Jussi Kivilinna <jussi.kivilinna@mbnet.fi>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
-rw-r--r-- | drivers/net/wireless/rndis_wlan.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/drivers/net/wireless/rndis_wlan.c b/drivers/net/wireless/rndis_wlan.c index 454f2f182342..ce138d846193 100644 --- a/drivers/net/wireless/rndis_wlan.c +++ b/drivers/net/wireless/rndis_wlan.c @@ -3043,7 +3043,7 @@ static void rndis_wlan_media_specific_indication(struct usbnet *usbdev, struct rndis_indicate *msg, int buflen) { struct ndis_80211_status_indication *indication; - int len, offset; + unsigned int len, offset; offset = offsetof(struct rndis_indicate, status) + le32_to_cpu(msg->offset); @@ -3055,7 +3055,7 @@ static void rndis_wlan_media_specific_indication(struct usbnet *usbdev, return; } - if (offset + len > buflen) { + if (len > buflen || offset > buflen || offset + len > buflen) { netdev_info(usbdev->net, "media specific indication, too large to fit to buffer (%i > %i)\n", offset + len, buflen); return; |