summaryrefslogtreecommitdiff
path: root/drivers/staging/bcm/nvm.c
diff options
context:
space:
mode:
authorWenliang Fan <fanwlexca@gmail.com>2013-12-20 19:07:38 +0800
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2013-12-20 12:22:26 -0800
commit1b1290e5bac8791cf613ead70dab54d06f1e8489 (patch)
tree57c7f2b2ba470252a97acb203e3c3ec621b99506 /drivers/staging/bcm/nvm.c
parent01b6442b4639a0165880aefeec5342df37e02aa8 (diff)
drivers/staging/bcm: Integer overflow
The checking condition in 'validateFlash2xReadWrite()' is not sufficient. A large number invalid would cause an integer overflow and pass the condition, which could cause further integer overflows in 'Bcmchar.c:bcm_char_ioctl()'. Signed-off-by: Wenliang Fan <fanwlexca@gmail.com> Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers/staging/bcm/nvm.c')
-rw-r--r--drivers/staging/bcm/nvm.c9
1 files changed, 9 insertions, 0 deletions
diff --git a/drivers/staging/bcm/nvm.c b/drivers/staging/bcm/nvm.c
index 9e5f955a1a08..3165da8036e7 100644
--- a/drivers/staging/bcm/nvm.c
+++ b/drivers/staging/bcm/nvm.c
@@ -3944,6 +3944,15 @@ int validateFlash2xReadWrite(struct bcm_mini_adapter *Adapter, struct bcm_flash2
BCM_DEBUG_PRINT(Adapter, DBG_TYPE_OTHERS, NVM_RW, DBG_LVL_ALL, "End offset :%x\n", uiSectEndOffset);
+ /* psFlash2xReadWrite->offset and uiNumOfBytes are user controlled and can lead to integer overflows */
+ if (psFlash2xReadWrite->offset > uiSectEndOffset) {
+ BCM_DEBUG_PRINT(Adapter, DBG_TYPE_PRINTK, 0, 0, "Invalid Request....");
+ return false;
+ }
+ if (uiNumOfBytes > uiSectEndOffset) {
+ BCM_DEBUG_PRINT(Adapter, DBG_TYPE_PRINTK, 0, 0, "Invalid Request....");
+ return false;
+ }
/* Checking the boundary condition */
if ((uiSectStartOffset + psFlash2xReadWrite->offset + uiNumOfBytes) <= uiSectEndOffset)
return TRUE;
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-16 09:20:39 +0000