rndis_wlan: prevent integer overflow in indication()
authorDan Carpenter <dan.carpenter@oracle.com>
Wed, 29 Feb 2012 06:37:53 +0000 (09:37 +0300)
committerJohn W. Linville <linville@tuxdriver.com>
Mon, 5 Mar 2012 20:23:16 +0000 (15:23 -0500)
If we pick a high value for "offset" then it could lead to an integer
overflow and we would get past the check for:
if (offset + len > buflen) { ...

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Jussi Kivilinna <jussi.kivilinna@mbnet.fi>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
drivers/net/wireless/rndis_wlan.c

index 454f2f1823424a03ddedc311949a97299ce5576e..ce138d846193270e0f316f8ccc43c8379052875d 100644 (file)
@@ -3043,7 +3043,7 @@ static void rndis_wlan_media_specific_indication(struct usbnet *usbdev,
                        struct rndis_indicate *msg, int buflen)
 {
        struct ndis_80211_status_indication *indication;
-       int len, offset;
+       unsigned int len, offset;
 
        offset = offsetof(struct rndis_indicate, status) +
                        le32_to_cpu(msg->offset);
@@ -3055,7 +3055,7 @@ static void rndis_wlan_media_specific_indication(struct usbnet *usbdev,
                return;
        }
 
-       if (offset + len > buflen) {
+       if (len > buflen || offset > buflen || offset + len > buflen) {
                netdev_info(usbdev->net, "media specific indication, too large to fit to buffer (%i > %i)\n",
                            offset + len, buflen);
                return;