mwifiex: potential integer underflow in mwifiex_ret_wmm_get_status()
Before we loop for next iteration we adjust the buffer pointer and "resp_len": curr += (tlv_len + sizeof(tlv_hdr->header)); resp_len -= (tlv_len + sizeof(tlv_hdr->header)); If "resp_len" gets set to negative then it counts as a high positive value. Signed-off-by: NDan Carpenter <dan.carpenter@oracle.com> Signed-off-by: NAmitkumar Karwar <akarwar@marvell.com> Signed-off-by: NBing Zhao <bzhao@marvell.com> Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
Showing
想要评论请 注册 或 登录