rndis_wlan: prevent integer overflow in indication()

If we pick a high value for "offset" then it could lead to an integer
overflow and we would get past the check for:
	if (offset + len > buflen) { ...

Signed-off-by: Dan Carpenter <[email protected]>
Acked-by: Jussi Kivilinna <[email protected]>
Signed-off-by: John W. Linville <[email protected]>

diff --git a/drivers/net/wireless/rndis_wlan.c b/drivers/net/wireless/rndis_wlan.c
index 454f2f1823424a03ddedc311949a97299ce5576e..ce138d846193270e0f316f8ccc43c8379052875d 100644 (file)
--- a/drivers/net/wireless/rndis_wlan.c
+++ b/drivers/net/wireless/rndis_wlan.c
@@ -3043,7 +3043,7 @@ static void rndis_wlan_media_specific_indication(struct usbnet *usbdev,
                        struct rndis_indicate *msg, int buflen)
 {
        struct ndis_80211_status_indication *indication;
-       int len, offset;
+       unsigned int len, offset;
 
        offset = offsetof(struct rndis_indicate, status) +
                        le32_to_cpu(msg->offset);
@@ -3055,7 +3055,7 @@ static void rndis_wlan_media_specific_indication(struct usbnet *usbdev,
                return;
        }
 
-       if (offset + len > buflen) {
+       if (len > buflen || offset > buflen || offset + len > buflen) {
                netdev_info(usbdev->net, "media specific indication, too large to fit to buffer (%i > %i)\n",
                            offset + len, buflen);
                return;