staging/bcm: integer underflow leads to Oom

We do: if (NOB > DEFAULT_BUFF_SIZE) BuffSize = DEFAULT_BUFF_SIZE; else BuffSize = NOB; Since NOB can be negative it results in a larger than intended BuffSize and makes kzalloc() fail. The code is still a bit crap because it lets the users read as much as they want from nvram, but I don't know what a sensible upper limit should be. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

staging/bcm: integer underflow leads to Oom
We do: if (NOB > DEFAULT_BUFF_SIZE) BuffSize = DEFAULT_BUFF_SIZE; else BuffSize = NOB; Since NOB can be negative it results in a larger than intended BuffSize and makes kzalloc() fail. The code is still a bit crap because it lets the users read as much as they want from nvram, but I don't know what a sensible upper limit should be. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
ee2104ea · Dan Carpenter · Greg Kroah-Hartman · cfff3e5c · ee2104ea
Commit ee2104ea authored Feb 17, 2014 by Dan Carpenter Committed by Greg Kroah-Hartman Feb 18, 2014
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 1 deletion

drivers/staging/bcm/Bcmchar.c drivers/staging/bcm/Bcmchar.c +1 -1

No files found.
--- a/drivers/staging/bcm/Bcmchar.c
+++ b/drivers/staging/bcm/Bcmchar.c
@@ -1894,7 +1894,7 @@ static int bcm_char_ioctl_nvm_raw_read(void __user *argp, struct bcm_mini_adapte
 {
 	struct bcm_nvm_readwrite stNVMRead;
 	struct bcm_ioctl_buffer IoBuffer;
-	INT NOB;
+	unsigned int NOB;
 	INT BuffSize;
 	INT ReadOffset = 0;
 	UINT ReadBytes = 0;