[patch 5/6] Staging: gdm72xx: underflow bug in gdm_wimax_ioctl_get_data()

From: Dan Carpenter
Date: Mon Feb 22 2016 - 14:33:32 EST

Next message: Dan Carpenter: "[patch 6/6] Staging: gdm72xx: remove duplicate condition"
Previous message: Dan Carpenter: "[patch 4/6] staging: gdm72xx: zero out padding"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

"size" here should be unsigned, otherwise we might end up trying to copy
negative bytes in gdm_wimax_ioctl_get_data() resulting in an information
leak.

Reported-by: Alan Cox <gnomes@xxxxxxxxxxxxxxxxxxx>
Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>

diff --git a/drivers/staging/gdm72xx/wm_ioctl.h b/drivers/staging/gdm72xx/wm_ioctl.h
index 631cb1d..032cb07 100644
--- a/drivers/staging/gdm72xx/wm_ioctl.h
+++ b/drivers/staging/gdm72xx/wm_ioctl.h
@@ -74,12 +74,12 @@ struct fsm_s {
};

struct data_s {
- int size;
+ unsigned int size;
void *buf;
};

struct udata_s {
- int size;
+ unsigned int size;
void __user *buf;
};

Next message: Dan Carpenter: "[patch 6/6] Staging: gdm72xx: remove duplicate condition"
Previous message: Dan Carpenter: "[patch 4/6] staging: gdm72xx: zero out padding"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]