[patch 5/6] Staging: gdm72xx: underflow bug in gdm_wimax_ioctl_get_data()
Dan Carpenter
dan.carpenter at oracle.com
Mon Feb 22 19:33:09 UTC 2016
"size" here should be unsigned, otherwise we might end up trying to copy
negative bytes in gdm_wimax_ioctl_get_data() resulting in an information
leak.
Reported-by: Alan Cox <gnomes at lxorguk.ukuu.org.uk>
Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com>
diff --git a/drivers/staging/gdm72xx/wm_ioctl.h b/drivers/staging/gdm72xx/wm_ioctl.h
index 631cb1d..032cb07 100644
--- a/drivers/staging/gdm72xx/wm_ioctl.h
+++ b/drivers/staging/gdm72xx/wm_ioctl.h
@@ -74,12 +74,12 @@ struct fsm_s {
};
struct data_s {
- int size;
+ unsigned int size;
void *buf;
};
struct udata_s {
- int size;
+ unsigned int size;
void __user *buf;
};
More information about the devel
mailing list