Commit 885ba1da authored May 18, 2012 by Dan Carpenter Committed by John W. Linville May 25, 2012

NFC: potential integer overflow problem in check_crc()



If "buf[0]" is 255 then "len" gets set to 0.  The call to
"crc_ccitt(0xffff, buf, len - 2);" casts the "len - 2" to a high
positive number which is ugly.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>

parent f380f2c4

drivers/nfc/pn544_hci.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -232,7 +232,7 @@ static int pn544_hci_i2c_write(struct i2c_client client, u8 buf, int len)

		static int check_crc(u8 *buf, int buflen)
		{
		u8 len;
		int len;
		u16 crc;

		len = buf[0] + 1;