Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit ee2104ea authored by Dan Carpenter's avatar Dan Carpenter Committed by Greg Kroah-Hartman
Browse files

staging/bcm: integer underflow leads to Oom 



We do:

        if (NOB > DEFAULT_BUFF_SIZE)
                BuffSize = DEFAULT_BUFF_SIZE;
        else
                BuffSize = NOB;

Since NOB can be negative it results in a larger than intended BuffSize
and makes kzalloc() fail.

The code is still a bit crap because it lets the users read as much as
they want from nvram, but I don't know what a sensible upper limit
should be.

Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent cfff3e5c

drivers/staging/bcm/Bcmchar.c

+1 −1
Original line number Diff line number Diff line
@@ -1894,7 +1894,7 @@ static int bcm_char_ioctl_nvm_raw_read(void __user *argp, struct bcm_mini_adapte 
{

	struct bcm_nvm_readwrite stNVMRead;

	struct bcm_ioctl_buffer IoBuffer;

	INT NOB;

	unsigned int NOB;

	INT BuffSize;

	INT ReadOffset = 0;

	UINT ReadBytes = 0;