NFC: potential integer overflow problem in check_crc() · 885ba1da68 - Gogs

NFC: potential integer overflow problem in check_crc()

If "buf[0]" is 255 then "len" gets set to 0.  The call to
"crc_ccitt(0xffff, buf, len - 2);" casts the "len - 2" to a high
positive number which is ugly.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>

Dan Carpenter 13 years ago

parent

f380f2c4a1

commit

885ba1da68

1 changed files with 1 additions and 1 deletions

Split View Show Diff Stats

						
							+ 1
							
							- 1
						
drivers/nfc/pn544_hci.c
							 
								View File
							
				@@ -232,7 +232,7 @@ static int pn544_hci_i2c_write(struct i2c_client *client, u8 *buf, int len)
			
				 static int check_crc(u8 *buf, int buflen)
			
				 {
			
				-	u8 len;
			
				+	int len;
			
				 	u16 crc;
			
				 	len = buf[0] + 1;