diff options
| author |   Dan Carpenter <dan.carpenter@oracle.com> | 2012-05-18 10:36:47 +0300 |
|---|---|---|
| committer |   John W. Linville <linville@tuxdriver.com> | 2012-05-25 11:16:16 -0400 |
| commit | 885ba1da689299ec52e646ca1a2429b8de55f364 (patch) | |
| tree | 14cda3eb36796e77510994306c73197f47a5ff16 /drivers/nfc | |
| parent | wl1251: fix oops on early interrupt (diff) | |
| download | linux-dev-885ba1da689299ec52e646ca1a2429b8de55f364.tar.xz linux-dev-885ba1da689299ec52e646ca1a2429b8de55f364.zip | |
NFC: potential integer overflow problem in check_crc()
If "buf[0]" is 255 then "len" gets set to 0. The call to
"crc_ccitt(0xffff, buf, len - 2);" casts the "len - 2" to a high
positive number which is ugly.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Diffstat (limited to 'drivers/nfc')
| -rw-r--r-- | drivers/nfc/pn544_hci.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/nfc/pn544_hci.c b/drivers/nfc/pn544_hci.c index 46f4a9f9f5e4..281f18c2fb82 100644 --- a/drivers/nfc/pn544_hci.c +++ b/drivers/nfc/pn544_hci.c @@ -232,7 +232,7 @@ static int pn544_hci_i2c_write(struct i2c_client *client, u8 *buf, int len) static int check_crc(u8 *buf, int buflen) { - u8 len; + int len; u16 crc; len = buf[0] + 1; |