-
由 Vince Kim 提交于
There are several places to perform subtraction to calculate buffer size such as: si->si_ofs.cydata_size = si->si_ofs.test_ofs - si->si_ofs.cydata_ofs; ... p = krealloc(si->si_ptrs.cydata, si->si_ofs.cydata_size, GFP_KERNEL); Actually, data types of above variables during subtraction are size_t, so it is unsigned. That means if second operand(si->si_ofs.cydata_ofs) is greater than the first operand(si->si_ofs.test_ofs), then resulting si->si_ofs.cydata_size could result in an unsigned integer wrap which is not desirable. The proper way to correct this problem is to perform a test of both operands to avoid having unsigned wrap. Signed-off-by: NVince Kim <vince.k.kim@gmail.com> Signed-off-by: NDmitry Torokhov <dmitry.torokhov@gmail.com>
a2c714e8