Commit b71dbbcf authored by Kevin McKinney's avatar Kevin McKinney Committed by Greg Kroah-Hartman

Staging: bcm: Fix an integer overflow in IOCTL_BCM_NVM_READ/WRITE

Variables stNVMReadWrite.uioffset and stNVMReadWrite.uiNumBytes
are chosen from userspace and can be very high. The sum of
these two digits would result in a small number. Therefore,
this patch verifies a negative number was not entered, and
reorganizes the equation to remove the integer overflow.
Signed-off-by: default avatarKevin McKinney <klmckinney1@gmail.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 3c92e38d
...@@ -1302,8 +1302,10 @@ static long bcm_char_ioctl(struct file *filp, UINT cmd, ULONG arg) ...@@ -1302,8 +1302,10 @@ static long bcm_char_ioctl(struct file *filp, UINT cmd, ULONG arg)
/* /*
* Deny the access if the offset crosses the cal area limit. * Deny the access if the offset crosses the cal area limit.
*/ */
if (stNVMReadWrite.uiNumBytes > Adapter->uiNVMDSDSize)
return STATUS_FAILURE;
if ((stNVMReadWrite.uiOffset + stNVMReadWrite.uiNumBytes) > Adapter->uiNVMDSDSize) { if (stNVMReadWrite.uiOffset > Adapter->uiNVMDSDSize - stNVMReadWrite.uiNumBytes) {
/* BCM_DEBUG_PRINT(Adapter,DBG_TYPE_PRINTK, 0, 0,"Can't allow access beyond NVM Size: 0x%x 0x%x\n", stNVMReadWrite.uiOffset, stNVMReadWrite.uiNumBytes); */ /* BCM_DEBUG_PRINT(Adapter,DBG_TYPE_PRINTK, 0, 0,"Can't allow access beyond NVM Size: 0x%x 0x%x\n", stNVMReadWrite.uiOffset, stNVMReadWrite.uiNumBytes); */
return STATUS_FAILURE; return STATUS_FAILURE;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment