Search Linux Wireless

[patch] mwifiex: potential integer underflow in mwifiex_ret_wmm_get_status()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



If "resp_len" gets set to negative then it counts as a high positive
value.

Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
---
I spotted this reviewing the int => bool changes, but I don't have the
hardware and can't test it.

diff --git a/drivers/net/wireless/mwifiex/wmm.c b/drivers/net/wireless/mwifiex/wmm.c
index 2e8f9cd..3c6ee3a 100644
--- a/drivers/net/wireless/mwifiex/wmm.c
+++ b/drivers/net/wireless/mwifiex/wmm.c
@@ -772,6 +772,8 @@ int mwifiex_ret_wmm_get_status(struct mwifiex_private *priv,
 			break;
 		}
 
+		if (resp_len < tlv_len + sizeof(tlv_hdr->header))
+			break;
 		curr += (tlv_len + sizeof(tlv_hdr->header));
 		resp_len -= (tlv_len + sizeof(tlv_hdr->header));
 	}
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




[Index of Archives]     [Linux Host AP]     [ATH6KL]     [Linux Wireless Personal Area Network]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [Linux Kernel]     [IDE]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite Hiking]     [MIPS Linux]     [ARM Linux]     [Linux RAID]

  Powered by Linux