[patch 4/4] rndis_wlan: prevent integer overflow in indication()

linux-wireless.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [patch 4/4] rndis_wlan: prevent integer overflow in indication()
@ 2012-02-29  6:37 Dan Carpenter
  2012-03-01 10:19 ` Jussi Kivilinna
  0 siblings, 1 reply; 2+ messages in thread
From: Dan Carpenter @ 2012-02-29  6:37 UTC (permalink / raw)
  To: Jussi Kivilinna; +Cc: John W. Linville, linux-wireless, kernel-janitors

If we pick a high value for "offset" then it could lead to an integer
overflow and we would get past the check for:
	if (offset + len > buflen) { ...

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

diff --git a/drivers/net/wireless/rndis_wlan.c b/drivers/net/wireless/rndis_wlan.c
index 74e2d1b..dfd76e3 100644
--- a/drivers/net/wireless/rndis_wlan.c
+++ b/drivers/net/wireless/rndis_wlan.c
@@ -3043,7 +3043,7 @@ static void rndis_wlan_media_specific_indication(struct usbnet *usbdev,
 			struct rndis_indicate *msg, int buflen)
 {
 	struct ndis_80211_status_indication *indication;
-	int len, offset;
+	unsigned int len, offset;
 
 	offset = offsetof(struct rndis_indicate, status) +
 			le32_to_cpu(msg->offset);
@@ -3055,7 +3055,7 @@ static void rndis_wlan_media_specific_indication(struct usbnet *usbdev,
 		return;
 	}
 
-	if (offset + len > buflen) {
+	if (len > buflen || offset > buflen || offset + len > buflen) {
 		netdev_info(usbdev->net, "media specific indication, too large to fit to buffer (%i > %i)\n",
 			    offset + len, buflen);
 		return;

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [patch 4/4] rndis_wlan: prevent integer overflow in indication()
  2012-02-29  6:37 [patch 4/4] rndis_wlan: prevent integer overflow in indication() Dan Carpenter
@ 2012-03-01 10:19 ` Jussi Kivilinna
  0 siblings, 0 replies; 2+ messages in thread
From: Jussi Kivilinna @ 2012-03-01 10:19 UTC (permalink / raw)
  To: Dan Carpenter; +Cc: John W. Linville, linux-wireless, kernel-janitors

Quoting Dan Carpenter <dan.carpenter@oracle.com>:

> If we pick a high value for "offset" then it could lead to an integer
> overflow and we would get past the check for:
> 	if (offset + len > buflen) { ...

Acked-by: Jussi Kivilinna <jussi.kivilinna@mbnet.fi>

>
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
>
> diff --git a/drivers/net/wireless/rndis_wlan.c  
> b/drivers/net/wireless/rndis_wlan.c
> index 74e2d1b..dfd76e3 100644
> --- a/drivers/net/wireless/rndis_wlan.c
> +++ b/drivers/net/wireless/rndis_wlan.c
> @@ -3043,7 +3043,7 @@ static void  
> rndis_wlan_media_specific_indication(struct usbnet *usbdev,
>  			struct rndis_indicate *msg, int buflen)
>  {
>  	struct ndis_80211_status_indication *indication;
> -	int len, offset;
> +	unsigned int len, offset;
>
>  	offset = offsetof(struct rndis_indicate, status) +
>  			le32_to_cpu(msg->offset);
> @@ -3055,7 +3055,7 @@ static void  
> rndis_wlan_media_specific_indication(struct usbnet *usbdev,
>  		return;
>  	}
>
> -	if (offset + len > buflen) {
> +	if (len > buflen || offset > buflen || offset + len > buflen) {
>  		netdev_info(usbdev->net, "media specific indication, too large to  
> fit to buffer (%i > %i)\n",
>  			    offset + len, buflen);
>  		return;
>
>




^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2012-03-01 10:20 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-02-29  6:37 [patch 4/4] rndis_wlan: prevent integer overflow in indication() Dan Carpenter
2012-03-01 10:19 ` Jussi Kivilinna

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).