Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit e4e02da2 authored by Dan Carpenter's avatar Dan Carpenter Committed by John W. Linville
Browse files

rndis_wlan: prevent integer overflow in indication() 



If we pick a high value for "offset" then it could lead to an integer
overflow and we would get past the check for:
	if (offset + len > buflen) { ...

Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Acked-by: default avatarJussi Kivilinna <jussi.kivilinna@mbnet.fi>
Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
parent 551d6fe6

drivers/net/wireless/rndis_wlan.c

+2 −2
Original line number Diff line number Diff line
@@ -3043,7 +3043,7 @@ static void rndis_wlan_media_specific_indication(struct usbnet *usbdev, 
			struct rndis_indicate *msg, int buflen)

{

	struct ndis_80211_status_indication *indication;

	int len, offset;

	unsigned int len, offset;



	offset = offsetof(struct rndis_indicate, status) +

			le32_to_cpu(msg->offset);
@@ -3055,7 +3055,7 @@ static void rndis_wlan_media_specific_indication(struct usbnet *usbdev, 
		return;

	}



	if (offset + len > buflen) {

	if (len > buflen || offset > buflen || offset + len > buflen) {

		netdev_info(usbdev->net, "media specific indication, too large to fit to buffer (%i > %i)\n",

			    offset + len, buflen);

		return;