Variables stNVMReadWrite.uioffset and stNVMReadWrite.uiNumBytes are chosen from userspace and can be very high. The sum of these two digits would result in a small number. Therefore, this patch reorganizes the equation to remove the integer overflow.
Signed-off-by: Kevin McKinney <[email protected]> --- drivers/staging/bcm/Bcmchar.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/drivers/staging/bcm/Bcmchar.c b/drivers/staging/bcm/Bcmchar.c index 179707b..f365a5a 100644 --- a/drivers/staging/bcm/Bcmchar.c +++ b/drivers/staging/bcm/Bcmchar.c @@ -1303,7 +1303,7 @@ cntrlEnd: * Deny the access if the offset crosses the cal area limit. */ - if ((stNVMReadWrite.uiOffset + stNVMReadWrite.uiNumBytes) > Adapter->uiNVMDSDSize) { + if (stNVMReadWrite.uiOffset > (Adapter->uiNVMDSDSize - stNVMReadWrite.uiNumBytes)) { /* BCM_DEBUG_PRINT(Adapter,DBG_TYPE_PRINTK, 0, 0,"Can't allow access beyond NVM Size: 0x%x 0x%x\n", stNVMReadWrite.uiOffset, stNVMReadWrite.uiNumBytes); */ return STATUS_FAILURE; } -- 1.7.4.1 _______________________________________________ devel mailing list [email protected] http://driverdev.linuxdriverproject.org/mailman/listinfo/devel
