* [patch] NFC: potential integer overflow problem in check_crc()
@ 2012-05-18 7:36 Dan Carpenter
0 siblings, 0 replies; only message in thread
From: Dan Carpenter @ 2012-05-18 7:36 UTC (permalink / raw)
To: Lauro Ramos Venancio
Cc: Aloisio Almeida Jr, Samuel Ortiz, linux-wireless, kernel-janitors
If "buf[0]" is 255 then "len" gets set to 0. The call to
"crc_ccitt(0xffff, buf, len - 2);" casts the "len - 2" to a high
positive number which is ugly.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
diff --git a/drivers/nfc/pn544_hci.c b/drivers/nfc/pn544_hci.c
index 46f4a9f..281f18c 100644
--- a/drivers/nfc/pn544_hci.c
+++ b/drivers/nfc/pn544_hci.c
@@ -232,7 +232,7 @@ static int pn544_hci_i2c_write(struct i2c_client *client, u8 *buf, int len)
static int check_crc(u8 *buf, int buflen)
{
- u8 len;
+ int len;
u16 crc;
len = buf[0] + 1;
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2012-05-18 7:36 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-05-18 7:36 [patch] NFC: potential integer overflow problem in check_crc() Dan Carpenter
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox