Quoting Dan Carpenter <dan.carpenter@xxxxxxxxxx>:
If we pick a high value for "offset" then it could lead to an integer
overflow and we would get past the check for:
if (offset + len > buflen) { ...
Acked-by: Jussi Kivilinna <jussi.kivilinna@xxxxxxxx>
Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
diff --git a/drivers/net/wireless/rndis_wlan.c
b/drivers/net/wireless/rndis_wlan.c
index 74e2d1b..dfd76e3 100644
--- a/drivers/net/wireless/rndis_wlan.c
+++ b/drivers/net/wireless/rndis_wlan.c
@@ -3043,7 +3043,7 @@ static void
rndis_wlan_media_specific_indication(struct usbnet *usbdev,
struct rndis_indicate *msg, int buflen)
{
struct ndis_80211_status_indication *indication;
- int len, offset;
+ unsigned int len, offset;
offset = offsetof(struct rndis_indicate, status) +
le32_to_cpu(msg->offset);
@@ -3055,7 +3055,7 @@ static void
rndis_wlan_media_specific_indication(struct usbnet *usbdev,
return;
}
- if (offset + len > buflen) {
+ if (len > buflen || offset > buflen || offset + len > buflen) {
netdev_info(usbdev->net, "media specific indication, too large to
fit to buffer (%i > %i)\n",
offset + len, buflen);
return;
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
