Gitiles
Code Review Sign In
gerrit-public.fairphone.software / fp2-dev / kernel / msm / 41eedf39dfb145fb8fa04cd5b799f7bdc7679696
commit41eedf39dfb145fb8fa04cd5b799f7bdc7679696[log] [tgz]
authorDan Carpenter <dan.carpenter@oracle.com>Thu Mar 01 10:02:08 2012 +0300
committerJohn W. Linville <linville@tuxdriver.com>Mon Mar 05 15:23:15 2012 -0500
tree359897e247fc8112046abae3540759eea33213e2
parent5533513784a88049e19dd2ab380a452b61e5171e [diff]
rndis_wlan: integer overflows in rndis_wlan_do_link_up_work()

If "offset" is negative then we can get past this check:
	if (offset > CONTROL_BUFFER_SIZE)
Or if we pick a very high "req_ie_len" then we can get around the check:
	if (offset + req_ie_len > CONTROL_BUFFER_SIZE)

I made "resp_ie_len" and "req_ie_len" unsigned.  I don't know if it was
intentional that they were signed in the original.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Jussi Kivilinna <jussi.kivilinna@mbnet.fi>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
1 file changed
tree: 359897e247fc8112046abae3540759eea33213e2
  1. arch/
  2. block/
  3. crypto/
  4. Documentation/
  5. drivers/
  6. firmware/
  7. fs/
  8. include/
  9. init/
  10. ipc/
  11. kernel/
  12. lib/
  13. mm/
  14. net/
  15. samples/
  16. scripts/
  17. security/
  18. sound/
  19. tools/
  20. usr/
  21. virt/
  22. .gitignore
  23. .mailmap
  24. COPYING
  25. CREDITS
  26. Kbuild
  27. Kconfig
  28. MAINTAINERS
  29. Makefile
  30. README
  31. REPORTING-BUGS