rndis_wlan: integer overflows in rndis_wlan_do_link_up_work()
If "offset" is negative then we can get past this check: if (offset > CONTROL_BUFFER_SIZE) Or if we pick a very high "req_ie_len" then we can get around the check: if (offset + req_ie_len > CONTROL_BUFFER_SIZE) I made "resp_ie_len" and "req_ie_len" unsigned. I don't know if it was intentional that they were signed in the original. Signed-off-by: NDan Carpenter <dan.carpenter@oracle.com> Acked-by: NJussi Kivilinna <jussi.kivilinna@mbnet.fi> Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
Showing
想要评论请 注册 或 登录