On Sat, Dec 17, 2011 at 2:00 PM, Dan Carpenter <[email protected]> wrote: > On Sat, Dec 17, 2011 at 11:53:38AM -0500, Kevin McKinney wrote: >> Variables stNVMReadWrite.uioffset and stNVMReadWrite.uiNumBytes >> are chosen from userspace and can be very high. The sum of >> these two digits would result in a small number. Therefore, >> this patch reorganizes the equation to remove the integer >> overflow. >> >> Signed-off-by: Kevin McKinney <[email protected]> >> --- >> drivers/staging/bcm/Bcmchar.c | 2 +- >> 1 files changed, 1 insertions(+), 1 deletions(-) >> >> diff --git a/drivers/staging/bcm/Bcmchar.c b/drivers/staging/bcm/Bcmchar.c >> index 179707b..f365a5a 100644 >> --- a/drivers/staging/bcm/Bcmchar.c >> +++ b/drivers/staging/bcm/Bcmchar.c >> @@ -1303,7 +1303,7 @@ cntrlEnd: >> * Deny the access if the offset crosses the cal area limit. >> */ >> >> - if ((stNVMReadWrite.uiOffset + stNVMReadWrite.uiNumBytes) > >> Adapter->uiNVMDSDSize) { >> + if (stNVMReadWrite.uiOffset > (Adapter->uiNVMDSDSize - >> stNVMReadWrite.uiNumBytes)) { > > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > Now you have a problem on this side. ;) > > First verify that stNVMReadWrite.uiNumBytes is less than > Adapter->uiNVMDSDSize before you do the subtraction. > Will do. Yeah, good point; stNVMReadWrite.uiNumBytes could be greater than Adapter->uiNVMDSDSize. I will study this; fix it, and then resubmit.
Thanks, Kevin _______________________________________________ devel mailing list [email protected] http://driverdev.linuxdriverproject.org/mailman/listinfo/devel
