Commit 3e4336a6 authored May 06, 2015 by Jason A. Donenfeld Committed by David S. Miller May 09, 2015

usbnet: avoid integer overflow in start_xmit

transfer_buffer_length is of type u32. It's therefore wrong to assign it
to a signed integer. This patch avoids the overflow.

It's worth noting that entry->length here is a long; perhaps it would be
beneficial at somepoint to change this to be unsigned as well, if
nothing else relies on its signedness for error conditions or the like.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

parent 240b23c4

drivers/net/usb/usbnet.c

+2 −2

Original line number	Diff line number	Diff line
		@@ -1285,7 +1285,7 @@ netdev_tx_t usbnet_start_xmit (struct sk_buff *skb,
		struct net_device *net)
		{
		struct usbnet *dev = netdev_priv(net);
		int length;
		unsigned int length;
		struct urb *urb = NULL;
		struct skb_data *entry;
		struct driver_info *info = dev->driver_info;
		@@ -1413,7 +1413,7 @@ netdev_tx_t usbnet_start_xmit (struct sk_buff *skb,
		}
		} else
		netif_dbg(dev, tx_queued, dev->net,
		"> tx, len %d, type 0x%x\n", length, skb->protocol);
		"> tx, len %u, type 0x%x\n", length, skb->protocol);
		#ifdef CONFIG_PM
		deferred:
		#endif