RE: [patch] mwifiex: potential integer underflow in mwifiex_ret_wmm_get_status()

Bing Zhao <bzhao@xxxxxxxxxxx> · Wed, 25 Sep 2013 09:25:46 -0700

Hi Dan,

> If "resp_len" gets set to negative then it counts as a high positive value.
> 
> Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
> ---
> I spotted this reviewing the int => bool changes, but I don't have the
> hardware and can't test it.

Thanks for spotting this potential integer underflow problem.

I think we can change the 'resp_len' variable type to a signed integer to fix this issue.

Thanks,
Bing

> 
> diff --git a/drivers/net/wireless/mwifiex/wmm.c
> b/drivers/net/wireless/mwifiex/wmm.c
> index 2e8f9cd..3c6ee3a 100644
> --- a/drivers/net/wireless/mwifiex/wmm.c
> +++ b/drivers/net/wireless/mwifiex/wmm.c
> @@ -772,6 +772,8 @@ int mwifiex_ret_wmm_get_status(struct
> mwifiex_private *priv,
>  			break;
>  		}
> 
> +		if (resp_len < tlv_len + sizeof(tlv_hdr->header))
> +			break;
>  		curr += (tlv_len + sizeof(tlv_hdr->header));
>  		resp_len -= (tlv_len + sizeof(tlv_hdr->header));
>  	}
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html