Staging: bcm: Fix an integer overflow in IOCTL_BCM_NVM_READ/WRITE

Variables stNVMReadWrite.uioffset and stNVMReadWrite.uiNumBytes are chosen from userspace and can be very high. The sum of these two digits would result in a small number. Therefore, this patch verifies a negative number was not entered, and reorganizes the equation to remove the integer overflow. Signed-off-by: Kevin McKinney <klmckinney1@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Kevin McKinney <klmckinney1@gmail.com> 2011-12-20 10:41:13 -0500
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2012-02-08 17:19:03 -0800
commit: b71dbbcfaa2a2965e0797db7333396a71062a341 (patch)
tree: 8e74932054e9f9f9ab87642def51deb45e2dab9a /drivers/staging/bcm
parent: 3c92e38dc4d803a7f90a08277a9d59f920963e0c (diff)
1 files changed, 3 insertions, 1 deletions
diff --git a/drivers/staging/bcm/Bcmchar.c b/drivers/staging/bcm/Bcmchar.c
index 179707b5e7c7..8bf3f575160f 100644
--- a/drivers/staging/bcm/Bcmchar.c
+++ b/drivers/staging/bcm/Bcmchar.c
@@ -1302,8 +1302,10 @@ cntrlEnd:
 		/*
 		 * Deny the access if the offset crosses the cal area limit.
 		 */
+		if (stNVMReadWrite.uiNumBytes > Adapter->uiNVMDSDSize)
+			return STATUS_FAILURE;
 
-		if ((stNVMReadWrite.uiOffset + stNVMReadWrite.uiNumBytes) > Adapter->uiNVMDSDSize) {
+		if (stNVMReadWrite.uiOffset > Adapter->uiNVMDSDSize - stNVMReadWrite.uiNumBytes) {
 			/* BCM_DEBUG_PRINT(Adapter,DBG_TYPE_PRINTK, 0, 0,"Can't allow access beyond NVM Size: 0x%x 0x%x\n", stNVMReadWrite.uiOffset, stNVMReadWrite.uiNumBytes); */
 			return STATUS_FAILURE;
 		}
author	Kevin McKinney <klmckinney1@gmail.com>	2011-12-20 10:41:13 -0500
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2012-02-08 17:19:03 -0800
commit	b71dbbcfaa2a2965e0797db7333396a71062a341 (patch)
tree	8e74932054e9f9f9ab87642def51deb45e2dab9a /drivers/staging/bcm
parent	3c92e38dc4d803a7f90a08277a9d59f920963e0c (diff)