* [patch 2/2] staging/bcm: integer underflow leads to Oom
@ 2014-02-17 19:57 Dan Carpenter
0 siblings, 0 replies; only message in thread
From: Dan Carpenter @ 2014-02-17 19:57 UTC (permalink / raw)
To: kernel-janitors
We do:
if (NOB > DEFAULT_BUFF_SIZE)
BuffSize = DEFAULT_BUFF_SIZE;
else
BuffSize = NOB;
Since NOB can be negative it results in a larger than intended BuffSize
and makes kzalloc() fail.
The code is still a bit crap because it lets the users read as much as
they want from nvram, but I don't know what a sensible upper limit
should be.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
diff --git a/drivers/staging/bcm/Bcmchar.c b/drivers/staging/bcm/Bcmchar.c
index 6f1997dc44c8..5e4dfe031040 100644
--- a/drivers/staging/bcm/Bcmchar.c
+++ b/drivers/staging/bcm/Bcmchar.c
@@ -1894,7 +1894,7 @@ static int bcm_char_ioctl_nvm_raw_read(void __user *argp, struct bcm_mini_adapte
{
struct bcm_nvm_readwrite stNVMRead;
struct bcm_ioctl_buffer IoBuffer;
- INT NOB;
+ unsigned int NOB;
INT BuffSize;
INT ReadOffset = 0;
UINT ReadBytes = 0;
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2014-02-17 19:57 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-02-17 19:57 [patch 2/2] staging/bcm: integer underflow leads to Oom Dan Carpenter
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox