On Sat, Dec 17, 2011 at 2:00 PM, Dan Carpenter <dan.carpenter@xxxxxxxxxx> wrote:
> On Sat, Dec 17, 2011 at 11:53:38AM -0500, Kevin McKinney wrote:
>> Variables stNVMReadWrite.uioffset and stNVMReadWrite.uiNumBytes
>> are chosen from userspace and can be very high. The sum of
>> these two digits would result in a small number. Therefore,
>> this patch reorganizes the equation to remove the integer
>> overflow.
>>
>> Signed-off-by: Kevin McKinney <klmckinney1@xxxxxxxxx>
>> ---
>> drivers/staging/bcm/Bcmchar.c | 2 +-
>> 1 files changed, 1 insertions(+), 1 deletions(-)
>>
>> diff --git a/drivers/staging/bcm/Bcmchar.c b/drivers/staging/bcm/Bcmchar.c
>> index 179707b..f365a5a 100644
>> --- a/drivers/staging/bcm/Bcmchar.c
>> +++ b/drivers/staging/bcm/Bcmchar.c
>> @@ -1303,7 +1303,7 @@ cntrlEnd:
>> * Deny the access if the offset crosses the cal area limit.
>> */
>>
>> - if ((stNVMReadWrite.uiOffset + stNVMReadWrite.uiNumBytes) > Adapter->uiNVMDSDSize) {
>> + if (stNVMReadWrite.uiOffset > (Adapter->uiNVMDSDSize - stNVMReadWrite.uiNumBytes)) {
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> Now you have a problem on this side. ;)
>
> First verify that stNVMReadWrite.uiNumBytes is less than
> Adapter->uiNVMDSDSize before you do the subtraction.
>
Will do. Yeah, good point; stNVMReadWrite.uiNumBytes could be greater
than Adapter->uiNVMDSDSize. I will study this; fix it, and then
resubmit.
Thanks,
Kevin
_______________________________________________
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxx
http://driverdev.linuxdriverproject.org/mailman/listinfo/devel
