rndis_wlan: prevent integer overflow in indication()

If we pick a high value for "offset" then it could lead to an integer
overflow and we would get past the check for:
	if (offset + len > buflen) { ...

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Jussi Kivilinna <jussi.kivilinna@mbnet.fi>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
This commit is contained in:
Dan Carpenter 2012-02-29 09:37:53 +03:00 committed by John W. Linville
parent 551d6fe6cb
commit e4e02da2ef
1 changed files with 2 additions and 2 deletions

View File

@ -3043,7 +3043,7 @@ static void rndis_wlan_media_specific_indication(struct usbnet *usbdev,
struct rndis_indicate *msg, int buflen)
{
struct ndis_80211_status_indication *indication;
int len, offset;
unsigned int len, offset;
offset = offsetof(struct rndis_indicate, status) +
le32_to_cpu(msg->offset);
@ -3055,7 +3055,7 @@ static void rndis_wlan_media_specific_indication(struct usbnet *usbdev,
return;
}
if (offset + len > buflen) {
if (len > buflen || offset > buflen || offset + len > buflen) {
netdev_info(usbdev->net, "media specific indication, too large to fit to buffer (%i > %i)\n",
offset + len, buflen);
return;