From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933505Ab3GCS7w (ORCPT ); Wed, 3 Jul 2013 14:59:52 -0400 Received: from hrndva-omtalb.mail.rr.com ([71.74.56.122]:28058 "EHLO hrndva-omtalb.mail.rr.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933128Ab3GCSkr (ORCPT ); Wed, 3 Jul 2013 14:40:47 -0400 X-Authority-Analysis: v=2.0 cv=Du3UCRD+ c=1 sm=0 a=Sro2XwOs0tJUSHxCKfOySw==:17 a=Drc5e87SC40A:10 a=Ciwy3NGCPMMA:10 a=F9OgHcRXN2AA:10 a=5SG0PmZfjMsA:10 a=bbbx4UPp9XUA:10 a=meVymXHHAAAA:8 a=KGjhK52YXX0A:10 a=GR_MqN2NCmMA:10 a=yPCof4ZbAAAA:8 a=VwQbUJbxAAAA:8 a=ag1SF4gXAAAA:8 a=JmOfzSW2dxeFCjiKdREA:9 a=7DSvI1NPTFQA:10 a=1TSTQ8KKaH4A:10 a=jeBq3FmKZ4MA:10 a=Sro2XwOs0tJUSHxCKfOySw==:117 X-Cloudmark-Score: 0 X-Authenticated-User: X-Originating-IP: 67.255.60.225 Message-Id: <20130703184045.950231533@goodmis.org> User-Agent: quilt/0.60-1 Date: Wed, 03 Jul 2013 14:39:05 -0400 From: Steven Rostedt To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Dan Carpenter , Greg Kroah-Hartman Subject: [008/141] USB: cxacru: potential underflow in cxacru_cm_get_array() References: <20130703183857.307196999@goodmis.org> Content-Disposition: inline; filename=0008-USB-cxacru-potential-underflow-in-cxacru_cm_get_arra.patch Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.6.11.6 stable review patch. If anyone has any objections, please let me know. ------------------ From: Dan Carpenter [ Upstream commit 2a0ebf80aa95cc758d4725f74a7016e992606a39 ] The value of "offd" comes off the instance->rcv_buf[] and we used it as the offset into an array. The problem is that we check the upper bound but not for negative values. Signed-off-by: Dan Carpenter Cc: stable Signed-off-by: Greg Kroah-Hartman Signed-off-by: Steven Rostedt --- drivers/usb/atm/cxacru.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/usb/atm/cxacru.c b/drivers/usb/atm/cxacru.c index b7eb86a..8a7eb77 100644 --- a/drivers/usb/atm/cxacru.c +++ b/drivers/usb/atm/cxacru.c @@ -686,7 +686,8 @@ static int cxacru_cm_get_array(struct cxacru_data *instance, enum cxacru_cm_requ { int ret, len; __le32 *buf; - int offb, offd; + int offb; + unsigned int offd; const int stride = CMD_PACKET_SIZE / (4 * 2) - 1; int buflen = ((size - 1) / stride + 1 + size * 2) * 4; -- 1.7.10.4