NFC: potential integer overflow problem in check_crc()
If "buf[0]" is 255 then "len" gets set to 0. The call to "crc_ccitt(0xffff, buf, len - 2);" casts the "len - 2" to a high positive number which is ugly. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
This commit is contained in:
parent
f380f2c4a1
commit
885ba1da68
@ -232,7 +232,7 @@ static int pn544_hci_i2c_write(struct i2c_client *client, u8 *buf, int len)
|
||||
|
||||
static int check_crc(u8 *buf, int buflen)
|
||||
{
|
||||
u8 len;
|
||||
int len;
|
||||
u16 crc;
|
||||
|
||||
len = buf[0] + 1;
|
||||
|
Loading…
Reference in New Issue
Block a user