summaryrefslogtreecommitdiffstats
path: root/lib/raid6/avx2.c
diff options
context:
space:
mode:
authorDan Carpenter <dan.carpenter@oracle.com>2018-06-05 13:31:39 +0200
committerKalle Valo <kvalo@codeaurora.org>2018-06-27 18:06:42 +0200
commitae636fb1554833ee5133ca47bf4b2791b6739c52 (patch)
tree8804c6230882f956be4fcf0d7f9dd62ca78a1a7e /lib/raid6/avx2.c
parentatmel: use memdup_user to simplify the code (diff)
downloadlinux-ae636fb1554833ee5133ca47bf4b2791b6739c52.tar.xz
linux-ae636fb1554833ee5133ca47bf4b2791b6739c52.zip
rndis_wlan: potential buffer overflow in rndis_wlan_auth_indication()
This is a static checker fix, not something I have tested. The issue is that on the second iteration through the loop, we jump forward by le32_to_cpu(auth_req->length) bytes. The problem is that if the length is more than "buflen" then we end up with a negative "buflen". A negative buflen is type promoted to a high positive value and the loop continues but it's accessing beyond the end of the buffer. I believe the "auth_req->length" comes from the firmware and if the firmware is malicious or buggy, you're already toasted so the impact of this bug is probably not very severe. Fixes: 030645aceb3d ("rndis_wlan: handle 802.11 indications from device") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Diffstat (limited to 'lib/raid6/avx2.c')
0 files changed, 0 insertions, 0 deletions