From: Dan Carpenter Date: Wed, 29 Feb 2012 06:37:53 +0000 (+0300) Subject: rndis_wlan: prevent integer overflow in indication() X-Git-Url: https://git.karo-electronics.de/?a=commitdiff_plain;h=e4e02da2ef01deb36aa80fce6ee0bc3e9725ffe8;p=linux-beck.git rndis_wlan: prevent integer overflow in indication() If we pick a high value for "offset" then it could lead to an integer overflow and we would get past the check for: if (offset + len > buflen) { ... Signed-off-by: Dan Carpenter Acked-by: Jussi Kivilinna Signed-off-by: John W. Linville --- diff --git a/drivers/net/wireless/rndis_wlan.c b/drivers/net/wireless/rndis_wlan.c index 454f2f182342..ce138d846193 100644 --- a/drivers/net/wireless/rndis_wlan.c +++ b/drivers/net/wireless/rndis_wlan.c @@ -3043,7 +3043,7 @@ static void rndis_wlan_media_specific_indication(struct usbnet *usbdev, struct rndis_indicate *msg, int buflen) { struct ndis_80211_status_indication *indication; - int len, offset; + unsigned int len, offset; offset = offsetof(struct rndis_indicate, status) + le32_to_cpu(msg->offset); @@ -3055,7 +3055,7 @@ static void rndis_wlan_media_specific_indication(struct usbnet *usbdev, return; } - if (offset + len > buflen) { + if (len > buflen || offset > buflen || offset + len > buflen) { netdev_info(usbdev->net, "media specific indication, too large to fit to buffer (%i > %i)\n", offset + len, buflen); return;