"k_tmp->len" and "total" are unsigned integers. The first message
could be close to "bufsiz" (4096) and then the next message could be
4GB which would cause an integer overflow.
Signed-off-by: Dan Carpenter <dan.carpen...@oracle.com>
---
I don't have a way to test this. I originally sent this message on Tue,
18 Oct 2011. I'm not totally sure what the implications are but it
seemed like there might be security implications. I honestly don't
know. I never received any feedback on the patch.
diff --git a/drivers/spi/spidev.c b/drivers/spi/spidev.c
index 830adbe..aab05e1 100644
--- a/drivers/spi/spidev.c
+++ b/drivers/spi/spidev.c
@@ -241,7 +241,7 @@ static int spidev_message(struct spidev_data *spidev,
k_tmp->len = u_tmp->len;
total += k_tmp->len;
- if (total > bufsiz) {
+ if (total > bufsiz || total < k_tmp->len) {
status = -EMSGSIZE;
goto done;
}
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
spi-devel-general mailing list
spi-devel-general@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/spi-devel-general
