From: Dan Carpenter Date: Fri, 18 May 2012 07:36:47 +0000 (+0300) Subject: NFC: potential integer overflow problem in check_crc() X-Git-Url: https://git.karo-electronics.de/?a=commitdiff_plain;h=885ba1da689299ec52e646ca1a2429b8de55f364;p=linux-beck.git NFC: potential integer overflow problem in check_crc() If "buf[0]" is 255 then "len" gets set to 0. The call to "crc_ccitt(0xffff, buf, len - 2);" casts the "len - 2" to a high positive number which is ugly. Signed-off-by: Dan Carpenter Signed-off-by: John W. Linville --- diff --git a/drivers/nfc/pn544_hci.c b/drivers/nfc/pn544_hci.c index 46f4a9f9f5e4..281f18c2fb82 100644 --- a/drivers/nfc/pn544_hci.c +++ b/drivers/nfc/pn544_hci.c @@ -232,7 +232,7 @@ static int pn544_hci_i2c_write(struct i2c_client *client, u8 *buf, int len) static int check_crc(u8 *buf, int buflen) { - u8 len; + int len; u16 crc; len = buf[0] + 1;