rndis_wlan: integer overflows in rndis_wlan_do_link_up_work()
authorDan Carpenter <dan.carpenter@oracle.com>
Thu, 1 Mar 2012 07:02:08 +0000 (10:02 +0300)
committerJohn W. Linville <linville@tuxdriver.com>
Mon, 5 Mar 2012 20:23:15 +0000 (15:23 -0500)
commit41eedf39dfb145fb8fa04cd5b799f7bdc7679696
tree359897e247fc8112046abae3540759eea33213e2
parent5533513784a88049e19dd2ab380a452b61e5171e
rndis_wlan: integer overflows in rndis_wlan_do_link_up_work()

If "offset" is negative then we can get past this check:
if (offset > CONTROL_BUFFER_SIZE)
Or if we pick a very high "req_ie_len" then we can get around the check:
if (offset + req_ie_len > CONTROL_BUFFER_SIZE)

I made "resp_ie_len" and "req_ie_len" unsigned.  I don't know if it was
intentional that they were signed in the original.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Jussi Kivilinna <jussi.kivilinna@mbnet.fi>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
drivers/net/wireless/rndis_wlan.c