> --- a/drivers/staging/unisys/visorbus/visorchipset.c > +++ b/drivers/staging/unisys/visorbus/visorchipset.c > @@ -581,7 +581,8 @@ static void *parser_name_get(struct parser_context *ctx) > struct visor_controlvm_parameters_header *phdr; > > phdr = &ctx->data; > - if (phdr->name_offset + phdr->name_length > ctx->param_bytes) > + if ((unsigned long)phdr->name_offset + > + (unsigned long)phdr->name_length > ctx->param_bytes) > return NULL; > ctx->curr = (char *)&phdr + phdr->name_offset; > ctx->bytes_remaining = phdr->name_length; I haven't reviewed this code very thouroughly. This should fix the issue on 64 bit systems, but it's a no-op on 32 bit systems. Which might be fine? I would be more comfortable if we just checked for integer overflow explicitly. There are bunch of ways to do that: if (phdr->name_offset > ctx->param_bytes || phdr->name_length > ctx->param_bytes || phdr->name_offset + phdr->name_length > ctx->param_bytes) Or: if (phdr->name_offset + phdr->name_length < phdr->name_offset || phdr->name_offset + phdr->name_length > ctx->param_bytes) return NULL; regards, dan carpenter _______________________________________________ devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxx http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
