On 21. 08. 19 9:11, Dan Carpenter wrote:
> The checking here needs to handle integer overflows because "offset" and
> "len" come from the user.
>
> Fixes: 20ec628e8007 ("misc: xilinx_sdfec: Add ability to configure LDPC")
> Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
> ---
> drivers/misc/xilinx_sdfec.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/misc/xilinx_sdfec.c b/drivers/misc/xilinx_sdfec.c
> index 3fc53d20abf3..0bf3bcc8e1ef 100644
> --- a/drivers/misc/xilinx_sdfec.c
> +++ b/drivers/misc/xilinx_sdfec.c
> @@ -611,7 +611,9 @@ static int xsdfec_table_write(struct xsdfec_dev *xsdfec, u32 offset,
> * Writes that go beyond the length of
> * Shared Scale(SC) table should fail
> */
> - if ((XSDFEC_REG_WIDTH_JUMP * (offset + len)) > depth) {
> + if (offset > depth / XSDFEC_REG_WIDTH_JUMP ||
> + len > depth / XSDFEC_REG_WIDTH_JUMP ||
> + offset + len > depth / XSDFEC_REG_WIDTH_JUMP) {
> dev_dbg(xsdfec->dev, "Write exceeds SC table length");
> return -EINVAL;
> }
>
Reviewed-by: Michal Simek <michal.simek@xxxxxxxxxx>
Thanks,
Michal
