ozwpan: unchecked signed subtraction leads to DoS

[firefly-linux-kernel-4.4.55.git] / drivers / staging / ozwpan / ozusbsvc1.c

diff --git a/drivers/staging/ozwpan/ozusbsvc1.c b/drivers/staging/ozwpan/ozusbsvc1.c
index 7b13dc9101721a9a602115671659078c7b2e934a..f660bb198c65534a6cbe8183d3f5d0a30a532eb1 100644 (file)
--- a/drivers/staging/ozwpan/ozusbsvc1.c
+++ b/drivers/staging/ozwpan/ozusbsvc1.c
@@ -326,10 +326,11 @@ static void oz_usb_handle_ep_data(struct oz_usb_ctx *usb_ctx,
                        struct oz_multiple_fixed *body =
                                (struct oz_multiple_fixed *)data_hdr;
                        u8 *data = body->data;
-                       int n;
-                       if (!body->unit_size)
+                       unsigned int n;
+                       if (!body->unit_size ||
+                               len < sizeof(struct oz_multiple_fixed) - 1)
                                break;
-                       n = (len - sizeof(struct oz_multiple_fixed)+1)
+                       n = (len - (sizeof(struct oz_multiple_fixed) - 1))
                                / body->unit_size;
                        while (n--) {
                                oz_hcd_data_ind(usb_ctx->hport, body->endpoint,