NFC: potential integer overflow problem in check_crc()

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

If "buf[0]" is 255 then "len" gets set to 0. The call to
"crc_ccitt(0xffff, buf, len - 2);" casts the "len - 2" to a high
positive number which is ugly.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>

authored by

Dan Carpenter and committed by

John W. Linville 14 years ago 885ba1da f380f2c4

+1 -1

1 changed file

expand all

drivers

nfc

pn544_hci.c

+1 -1

drivers/nfc/pn544_hci.c

··· 232 232 233 233 static int check_crc(u8 *buf, int buflen) 234 234 { 235 - u8 len; 235 + int len; 236 236 u16 crc; 237 237 238 238 len = buf[0] + 1;