[PATCH 2/2] Staging: bcm: Fix an integer overflow in IOCTL_BCM_NVM_READ/WRITE
Dan Carpenter
dan.carpenter at oracle.com
Sat Dec 17 19:00:28 UTC 2011
On Sat, Dec 17, 2011 at 11:53:38AM -0500, Kevin McKinney wrote:
> Variables stNVMReadWrite.uioffset and stNVMReadWrite.uiNumBytes
> are chosen from userspace and can be very high. The sum of
> these two digits would result in a small number. Therefore,
> this patch reorganizes the equation to remove the integer
> overflow.
>
> Signed-off-by: Kevin McKinney <klmckinney1 at gmail.com>
> ---
> drivers/staging/bcm/Bcmchar.c | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/drivers/staging/bcm/Bcmchar.c b/drivers/staging/bcm/Bcmchar.c
> index 179707b..f365a5a 100644
> --- a/drivers/staging/bcm/Bcmchar.c
> +++ b/drivers/staging/bcm/Bcmchar.c
> @@ -1303,7 +1303,7 @@ cntrlEnd:
> * Deny the access if the offset crosses the cal area limit.
> */
>
> - if ((stNVMReadWrite.uiOffset + stNVMReadWrite.uiNumBytes) > Adapter->uiNVMDSDSize) {
> + if (stNVMReadWrite.uiOffset > (Adapter->uiNVMDSDSize - stNVMReadWrite.uiNumBytes)) {
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Now you have a problem on this side. ;)
First verify that stNVMReadWrite.uiNumBytes is less than
Adapter->uiNVMDSDSize before you do the subtraction.
regards,
dan carpenter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://driverdev.linuxdriverproject.org/pipermail/driverdev-devel/attachments/20111217/f605a900/attachment.asc>
More information about the devel
mailing list