iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

rndis_wlan: prevent integer overflow in indication()

Browse Source 
If we pick a high value for "offset" then it could lead to an integer
overflow and we would get past the check for:
	if (offset + len > buflen) { ...

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Jussi Kivilinna <jussi.kivilinna@mbnet.fi>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
This commit is contained in:
Dan Carpenter 2012-02-29 09:37:53 +03:00 committed by John W. Linville
parent 551d6fe6cb
commit e4e02da2ef
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
drivers/net/wireless/rndis_wlan.c
View File

@ -3043,7 +3043,7 @@ static void rndis_wlan_media_specific_indication(struct usbnet *usbdev,
struct rndis_indicate *msg, int buflen) struct rndis_indicate *msg, int buflen)
{ {
struct ndis_80211_status_indication *indication; struct ndis_80211_status_indication *indication;
int len, offset; unsigned int len, offset;
offset = offsetof(struct rndis_indicate, status) + offset = offsetof(struct rndis_indicate, status) +
le32_to_cpu(msg->offset); le32_to_cpu(msg->offset);
@ -3055,7 +3055,7 @@ static void rndis_wlan_media_specific_indication(struct usbnet *usbdev,
return; return;
} }
if (offset + len > buflen) { if (len > buflen || offset > buflen || offset + len > buflen) {
netdev_info(usbdev->net, "media specific indication, too large to fit to buffer (%i > %i)\n", netdev_info(usbdev->net, "media specific indication, too large to fit to buffer (%i > %i)\n",
offset + len, buflen); offset + len, buflen);
return; return;