diff options
author | Dan Carpenter <dan.carpenter@oracle.com> | 2013-10-22 15:24:42 -0700 |
---|---|---|
committer | John W. Linville <linville@tuxdriver.com> | 2013-11-11 14:38:56 -0500 |
commit | 95edbc30db7882a45c4040747331cf613aa23c4a (patch) | |
tree | f3867f5c4caa148508daa7d725d84329486f1d1f | |
parent | 3aef7dde8dcf09e0124f0a2665845a507331972b (diff) | |
download | op-kernel-dev-95edbc30db7882a45c4040747331cf613aa23c4a.zip op-kernel-dev-95edbc30db7882a45c4040747331cf613aa23c4a.tar.gz |
mwifiex: potential integer underflow in mwifiex_ret_wmm_get_status()
Before we loop for next iteration we adjust the buffer pointer and
"resp_len":
curr += (tlv_len + sizeof(tlv_hdr->header));
resp_len -= (tlv_len + sizeof(tlv_hdr->header));
If "resp_len" gets set to negative then it counts as a high positive
value.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Amitkumar Karwar <akarwar@marvell.com>
Signed-off-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
-rw-r--r-- | drivers/net/wireless/mwifiex/wmm.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/drivers/net/wireless/mwifiex/wmm.c b/drivers/net/wireless/mwifiex/wmm.c index 5dd0ccc..13eaeed 100644 --- a/drivers/net/wireless/mwifiex/wmm.c +++ b/drivers/net/wireless/mwifiex/wmm.c @@ -722,6 +722,9 @@ int mwifiex_ret_wmm_get_status(struct mwifiex_private *priv, tlv_hdr = (struct mwifiex_ie_types_data *) curr; tlv_len = le16_to_cpu(tlv_hdr->header.len); + if (resp_len < tlv_len + sizeof(tlv_hdr->header)) + break; + switch (le16_to_cpu(tlv_hdr->header.type)) { case TLV_TYPE_WMMQSTATUS: tlv_wmm_qstatus = |