NFC: potential integer overflow problem in check_crc()
authorDan Carpenter <dan.carpenter@oracle.com>
Fri, 18 May 2012 07:36:47 +0000 (10:36 +0300)
committerJohn W. Linville <linville@tuxdriver.com>
Fri, 25 May 2012 15:16:16 +0000 (11:16 -0400)
If "buf[0]" is 255 then "len" gets set to 0.  The call to
"crc_ccitt(0xffff, buf, len - 2);" casts the "len - 2" to a high
positive number which is ugly.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
drivers/nfc/pn544_hci.c

index 46f4a9f9f5e476ce90729e4386c74442abcfa05f..281f18c2fb8282670c4dd6dab4593ab4ef3cc4b8 100644 (file)
@@ -232,7 +232,7 @@ static int pn544_hci_i2c_write(struct i2c_client *client, u8 *buf, int len)
 
 static int check_crc(u8 *buf, int buflen)
 {
-       u8 len;
+       int len;
        u16 crc;
 
        len = buf[0] + 1;