diff options
| author | Kevin McKinney <klmckinney1@gmail.com> | 2011-12-20 15:41:13 (GMT) |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2012-02-09 01:19:03 (GMT) |
| commit | b71dbbcfaa2a2965e0797db7333396a71062a341 (patch) | |
| tree | 8e74932054e9f9f9ab87642def51deb45e2dab9a /drivers/staging/bcm | |
| parent | 3c92e38dc4d803a7f90a08277a9d59f920963e0c (diff) | |
| download | linux-fsl-qoriq-b71dbbcfaa2a2965e0797db7333396a71062a341.tar.xz | |
Staging: bcm: Fix an integer overflow in IOCTL_BCM_NVM_READ/WRITE
Variables stNVMReadWrite.uioffset and stNVMReadWrite.uiNumBytes
are chosen from userspace and can be very high. The sum of
these two digits would result in a small number. Therefore,
this patch verifies a negative number was not entered, and
reorganizes the equation to remove the integer overflow.
Signed-off-by: Kevin McKinney <klmckinney1@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers/staging/bcm')
| -rw-r--r-- | drivers/staging/bcm/Bcmchar.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/drivers/staging/bcm/Bcmchar.c b/drivers/staging/bcm/Bcmchar.c index 179707b..8bf3f57 100644 --- a/drivers/staging/bcm/Bcmchar.c +++ b/drivers/staging/bcm/Bcmchar.c @@ -1302,8 +1302,10 @@ cntrlEnd: /* * Deny the access if the offset crosses the cal area limit. */ + if (stNVMReadWrite.uiNumBytes > Adapter->uiNVMDSDSize) + return STATUS_FAILURE; - if ((stNVMReadWrite.uiOffset + stNVMReadWrite.uiNumBytes) > Adapter->uiNVMDSDSize) { + if (stNVMReadWrite.uiOffset > Adapter->uiNVMDSDSize - stNVMReadWrite.uiNumBytes) { /* BCM_DEBUG_PRINT(Adapter,DBG_TYPE_PRINTK, 0, 0,"Can't allow access beyond NVM Size: 0x%x 0x%x\n", stNVMReadWrite.uiOffset, stNVMReadWrite.uiNumBytes); */ return STATUS_FAILURE; } |