rndis_wlan: prevent integer overflow in indication()
If we pick a high value for "offset" then it could lead to an integer overflow and we would get past the check for: if (offset + len > buflen) { ... Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Acked-by: Jussi Kivilinna <jussi.kivilinna@mbnet.fi> Signed-off-by: John W. Linville <linville@tuxdriver.com>
This commit is contained in:
parent
551d6fe6cb
commit
e4e02da2ef
|
@ -3043,7 +3043,7 @@ static void rndis_wlan_media_specific_indication(struct usbnet *usbdev,
|
|||
struct rndis_indicate *msg, int buflen)
|
||||
{
|
||||
struct ndis_80211_status_indication *indication;
|
||||
int len, offset;
|
||||
unsigned int len, offset;
|
||||
|
||||
offset = offsetof(struct rndis_indicate, status) +
|
||||
le32_to_cpu(msg->offset);
|
||||
|
@ -3055,7 +3055,7 @@ static void rndis_wlan_media_specific_indication(struct usbnet *usbdev,
|
|||
return;
|
||||
}
|
||||
|
||||
if (offset + len > buflen) {
|
||||
if (len > buflen || offset > buflen || offset + len > buflen) {
|
||||
netdev_info(usbdev->net, "media specific indication, too large to fit to buffer (%i > %i)\n",
|
||||
offset + len, buflen);
|
||||
return;
|
||||
|
|
Loading…
Reference in New Issue