Skip to content

Commit

Permalink
NFC: potential integer overflow problem in check_crc()
Browse files Browse the repository at this point in the history 
If "buf[0]" is 255 then "len" gets set to 0.  The call to
"crc_ccitt(0xffff, buf, len - 2);" casts the "len - 2" to a high
positive number which is ugly.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
  • Loading branch information
Dan Carpenter authored and John W. Linville committed May 25, 2012
1 parent f380f2c commit 885ba1d
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion drivers/nfc/pn544_hci.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -232,7 +232,7 @@ static int pn544_hci_i2c_write(struct i2c_client *client, u8 *buf, int len)

static int check_crc(u8 *buf, int buflen)
{
u8 len;
int len;
u16 crc;

len = buf[0] + 1;
Expand Down

0 comments on commit 885ba1d

Please sign in to comment.