From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Fri, 18 May 2012 07:36:47 +0000 (+0300)
Subject: NFC: potential integer overflow problem in check_crc()
X-Git-Tag: firefly_0821_release~3680^2~2713^2~3^2~10
X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=885ba1da689299ec52e646ca1a2429b8de55f364;p=firefly-linux-kernel-4.4.55.git

NFC: potential integer overflow problem in check_crc()

If "buf[0]" is 255 then "len" gets set to 0.  The call to
"crc_ccitt(0xffff, buf, len - 2);" casts the "len - 2" to a high
positive number which is ugly.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
---

diff --git a/drivers/nfc/pn544_hci.c b/drivers/nfc/pn544_hci.c
index 46f4a9f9f5e4..281f18c2fb82 100644
--- a/drivers/nfc/pn544_hci.c
+++ b/drivers/nfc/pn544_hci.c
@@ -232,7 +232,7 @@ static int pn544_hci_i2c_write(struct i2c_client *client, u8 *buf, int len)
 
 static int check_crc(u8 *buf, int buflen)
 {
-	u8 len;
+	int len;
 	u16 crc;
 
 	len = buf[0] + 1;