summaryrefslogtreecommitdiff
path: root/drivers/staging/bcm
diff options
context:
space:
mode:
authorKevin McKinney <klmckinney1@gmail.com>2011-12-20 10:41:13 -0500
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2012-02-08 17:19:03 -0800
commitb71dbbcfaa2a2965e0797db7333396a71062a341 (patch)
tree8e74932054e9f9f9ab87642def51deb45e2dab9a /drivers/staging/bcm
parent3c92e38dc4d803a7f90a08277a9d59f920963e0c (diff)
Staging: bcm: Fix an integer overflow in IOCTL_BCM_NVM_READ/WRITE
Variables stNVMReadWrite.uioffset and stNVMReadWrite.uiNumBytes are chosen from userspace and can be very high. The sum of these two digits would result in a small number. Therefore, this patch verifies a negative number was not entered, and reorganizes the equation to remove the integer overflow. Signed-off-by: Kevin McKinney <klmckinney1@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers/staging/bcm')
-rw-r--r--drivers/staging/bcm/Bcmchar.c4
1 files changed, 3 insertions, 1 deletions
diff --git a/drivers/staging/bcm/Bcmchar.c b/drivers/staging/bcm/Bcmchar.c
index 179707b5e7c7..8bf3f575160f 100644
--- a/drivers/staging/bcm/Bcmchar.c
+++ b/drivers/staging/bcm/Bcmchar.c
@@ -1302,8 +1302,10 @@ cntrlEnd:
/*
* Deny the access if the offset crosses the cal area limit.
*/
+ if (stNVMReadWrite.uiNumBytes > Adapter->uiNVMDSDSize)
+ return STATUS_FAILURE;
- if ((stNVMReadWrite.uiOffset + stNVMReadWrite.uiNumBytes) > Adapter->uiNVMDSDSize) {
+ if (stNVMReadWrite.uiOffset > Adapter->uiNVMDSDSize - stNVMReadWrite.uiNumBytes) {
/* BCM_DEBUG_PRINT(Adapter,DBG_TYPE_PRINTK, 0, 0,"Can't allow access beyond NVM Size: 0x%x 0x%x\n", stNVMReadWrite.uiOffset, stNVMReadWrite.uiNumBytes); */
return STATUS_FAILURE;
}