usbnet: avoid integer overflow in start_xmit

transfer_buffer_length is of type u32. It's therefore wrong to assign it to a signed integer. This patch avoids the overflow. It's worth noting that entry->length here is a long; perhaps it would be beneficial at somepoint to change this to be unsigned as well, if nothing else relies on its signedness for error conditions or the like. Signed-off-by: N Jason A. Donenfeld <Jason@zx2c4.com> Signed-off-by: N David S. Miller <davem@davemloft.net>

usbnet: avoid integer overflow in start_xmit
transfer_buffer_length is of type u32. It's therefore wrong to assign it to a signed integer. This patch avoids the overflow. It's worth noting that entry->length here is a long; perhaps it would be beneficial at somepoint to change this to be unsigned as well, if nothing else relies on its signedness for error conditions or the like. Signed-off-by: N Jason A. Donenfeld <Jason@zx2c4.com> Signed-off-by: N David S. Miller <davem@davemloft.net>
3e4336a6 · Jason A. Donenfeld · David S. Miller · 240b23c4 · 3e4336a6
隐藏空白更改
内联并排

Showing with 2 addition and 2 deletion

drivers/net/usb/usbnet.c drivers/net/usb/usbnet.c +2 -2

未找到文件。
--- a/drivers/net/usb/usbnet.c
+++ b/drivers/net/usb/usbnet.c
@@ -1285,7 +1285,7 @@ netdev_tx_t usbnet_start_xmit (struct sk_buff *skb,
 				     struct net_device *net)
 {
 	struct usbnet		*dev = netdev_priv(net);
-	int			length;
+	unsigned int			length;
 	struct urb		*urb = NULL;
 	struct skb_data		*entry;
 	struct driver_info	*info = dev->driver_info;
@@ -1413,7 +1413,7 @@ netdev_tx_t usbnet_start_xmit (struct sk_buff *skb,
 		}
 	} else
 		netif_dbg(dev, tx_queued, dev->net,
-			  "> tx, len %d, type 0x%x\n", length, skb->protocol);
+			  "> tx, len %u, type 0x%x\n", length, skb->protocol);
 #ifdef CONFIG_PM
 deferred:
 #endif