Hi Dan,
> -----Original Message----- > From: Dan Carpenter [mailto:[email protected]] > Sent: Wednesday 21 August 2019 08:11 > To: Derek Kiernan <[email protected]>; Dragan Cvetic <[email protected]> > Cc: Arnd Bergmann <[email protected]>; Greg Kroah-Hartman > <[email protected]>; Michal Simek <[email protected]>; > [email protected]; [email protected]; > [email protected] > Subject: [PATCH 4/4] misc: xilinx_sdfec: Prevent integer overflow in > xsdfec_table_write() > > The checking here needs to handle integer overflows because "offset" and > "len" come from the user. Good catch, thanks. > > Fixes: 20ec628e8007 ("misc: xilinx_sdfec: Add ability to configure LDPC") > Signed-off-by: Dan Carpenter <[email protected]> > --- > drivers/misc/xilinx_sdfec.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/drivers/misc/xilinx_sdfec.c b/drivers/misc/xilinx_sdfec.c > index 3fc53d20abf3..0bf3bcc8e1ef 100644 > --- a/drivers/misc/xilinx_sdfec.c > +++ b/drivers/misc/xilinx_sdfec.c > @@ -611,7 +611,9 @@ static int xsdfec_table_write(struct xsdfec_dev *xsdfec, > u32 offset, > * Writes that go beyond the length of > * Shared Scale(SC) table should fail > */ > - if ((XSDFEC_REG_WIDTH_JUMP * (offset + len)) > depth) { > + if (offset > depth / XSDFEC_REG_WIDTH_JUMP || > + len > depth / XSDFEC_REG_WIDTH_JUMP || > + offset + len > depth / XSDFEC_REG_WIDTH_JUMP) { > dev_dbg(xsdfec->dev, "Write exceeds SC table length"); > return -EINVAL; > } > -- > 2.20.1 Reviewed-by: Dragan Cvetic <[email protected]> Thanks Dragan
