From ee2104ea865f8a12eebb382aa502f248e14a5a2d Mon Sep 17 00:00:00 2001 From: Dan Carpenter Date: Mon, 17 Feb 2014 22:57:31 +0300 Subject: [PATCH] staging/bcm: integer underflow leads to Oom We do: if (NOB > DEFAULT_BUFF_SIZE) BuffSize = DEFAULT_BUFF_SIZE; else BuffSize = NOB; Since NOB can be negative it results in a larger than intended BuffSize and makes kzalloc() fail. The code is still a bit crap because it lets the users read as much as they want from nvram, but I don't know what a sensible upper limit should be. Signed-off-by: Dan Carpenter Signed-off-by: Greg Kroah-Hartman --- drivers/staging/bcm/Bcmchar.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/staging/bcm/Bcmchar.c b/drivers/staging/bcm/Bcmchar.c index 6f1997dc44c8..5e4dfe031040 100644 --- a/drivers/staging/bcm/Bcmchar.c +++ b/drivers/staging/bcm/Bcmchar.c @@ -1894,7 +1894,7 @@ static int bcm_char_ioctl_nvm_raw_read(void __user *argp, struct bcm_mini_adapte { struct bcm_nvm_readwrite stNVMRead; struct bcm_ioctl_buffer IoBuffer; - INT NOB; + unsigned int NOB; INT BuffSize; INT ReadOffset = 0; UINT ReadBytes = 0;