Skip to content

Commit

Permalink
Staging: bcm: Fix an integer overflow in IOCTL_BCM_NVM_READ/WRITE
Browse files Browse the repository at this point in the history
Variables stNVMReadWrite.uioffset and stNVMReadWrite.uiNumBytes
are chosen from userspace and can be very high. The sum of
these two digits would result in a small number. Therefore,
this patch verifies a negative number was not entered, and
reorganizes the equation to remove the integer overflow.

Signed-off-by: Kevin McKinney <klmckinney1@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  • Loading branch information
Kevin McKinney authored and Greg Kroah-Hartman committed Feb 9, 2012
1 parent 3c92e38 commit b71dbbc
Showing 1 changed file with 3 additions and 1 deletion.
4 changes: 3 additions & 1 deletion drivers/staging/bcm/Bcmchar.c
Original file line number Diff line number Diff line change
Expand Up @@ -1302,8 +1302,10 @@ static long bcm_char_ioctl(struct file *filp, UINT cmd, ULONG arg)
/*
* Deny the access if the offset crosses the cal area limit.
*/
if (stNVMReadWrite.uiNumBytes > Adapter->uiNVMDSDSize)
return STATUS_FAILURE;

if ((stNVMReadWrite.uiOffset + stNVMReadWrite.uiNumBytes) > Adapter->uiNVMDSDSize) {
if (stNVMReadWrite.uiOffset > Adapter->uiNVMDSDSize - stNVMReadWrite.uiNumBytes) {
/* BCM_DEBUG_PRINT(Adapter,DBG_TYPE_PRINTK, 0, 0,"Can't allow access beyond NVM Size: 0x%x 0x%x\n", stNVMReadWrite.uiOffset, stNVMReadWrite.uiNumBytes); */
return STATUS_FAILURE;
}
Expand Down

0 comments on commit b71dbbc

Please sign in to comment.