Staging: bcm: Fix an integer overflow in IOCTL_BCM_NVM_READ/WRITE
authorKevin McKinney <klmckinney1@gmail.com>
Tue, 20 Dec 2011 15:41:13 +0000 (10:41 -0500)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Thu, 9 Feb 2012 01:19:03 +0000 (17:19 -0800)
Variables stNVMReadWrite.uioffset and stNVMReadWrite.uiNumBytes
are chosen from userspace and can be very high. The sum of
these two digits would result in a small number. Therefore,
this patch verifies a negative number was not entered, and
reorganizes the equation to remove the integer overflow.

Signed-off-by: Kevin McKinney <klmckinney1@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/staging/bcm/Bcmchar.c

index 179707b5e7c7d915a7cc2845b40971af926478a3..8bf3f575160ff845304b1bd5eb8d3849abaeedaa 100644 (file)
@@ -1302,8 +1302,10 @@ cntrlEnd:
                /*
                 * Deny the access if the offset crosses the cal area limit.
                 */
+               if (stNVMReadWrite.uiNumBytes > Adapter->uiNVMDSDSize)
+                       return STATUS_FAILURE;
 
-               if ((stNVMReadWrite.uiOffset + stNVMReadWrite.uiNumBytes) > Adapter->uiNVMDSDSize) {
+               if (stNVMReadWrite.uiOffset > Adapter->uiNVMDSDSize - stNVMReadWrite.uiNumBytes) {
                        /* BCM_DEBUG_PRINT(Adapter,DBG_TYPE_PRINTK, 0, 0,"Can't allow access beyond NVM Size: 0x%x 0x%x\n", stNVMReadWrite.uiOffset, stNVMReadWrite.uiNumBytes); */
                        return STATUS_FAILURE;
                }