From b71dbbcfaa2a2965e0797db7333396a71062a341 Mon Sep 17 00:00:00 2001 From: Kevin McKinney Date: Tue, 20 Dec 2011 10:41:13 -0500 Subject: [PATCH] Staging: bcm: Fix an integer overflow in IOCTL_BCM_NVM_READ/WRITE Variables stNVMReadWrite.uioffset and stNVMReadWrite.uiNumBytes are chosen from userspace and can be very high. The sum of these two digits would result in a small number. Therefore, this patch verifies a negative number was not entered, and reorganizes the equation to remove the integer overflow. Signed-off-by: Kevin McKinney Signed-off-by: Greg Kroah-Hartman --- drivers/staging/bcm/Bcmchar.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/staging/bcm/Bcmchar.c b/drivers/staging/bcm/Bcmchar.c index 179707b5e7c..8bf3f575160 100644 --- a/drivers/staging/bcm/Bcmchar.c +++ b/drivers/staging/bcm/Bcmchar.c @@ -1302,8 +1302,10 @@ cntrlEnd: /* * Deny the access if the offset crosses the cal area limit. */ + if (stNVMReadWrite.uiNumBytes > Adapter->uiNVMDSDSize) + return STATUS_FAILURE; - if ((stNVMReadWrite.uiOffset + stNVMReadWrite.uiNumBytes) > Adapter->uiNVMDSDSize) { + if (stNVMReadWrite.uiOffset > Adapter->uiNVMDSDSize - stNVMReadWrite.uiNumBytes) { /* BCM_DEBUG_PRINT(Adapter,DBG_TYPE_PRINTK, 0, 0,"Can't allow access beyond NVM Size: 0x%x 0x%x\n", stNVMReadWrite.uiOffset, stNVMReadWrite.uiNumBytes); */ return STATUS_FAILURE; } -- 2.39.5