mwifiex: potential integer underflow in mwifiex_ret_wmm_get_status()

Before we loop for next iteration we adjust the buffer pointer and "resp_len": curr += (tlv_len + sizeof(tlv_hdr->header)); resp_len -= (tlv_len + sizeof(tlv_hdr->header)); If "resp_len" gets set to negative then it counts as a high positive value. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Amitkumar Karwar <akarwar@marvell.com> Signed-off-by: Bing Zhao <bzhao@marvell.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
author: Dan Carpenter <dan.carpenter@oracle.com> 2013-10-22 15:24:42 -0700
committer: John W. Linville <linville@tuxdriver.com> 2013-11-11 14:38:56 -0500
commit: 95edbc30db7882a45c4040747331cf613aa23c4a (patch)
tree: f3867f5c4caa148508daa7d725d84329486f1d1f
parent: 3aef7dde8dcf09e0124f0a2665845a507331972b (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/drivers/net/wireless/mwifiex/wmm.c b/drivers/net/wireless/mwifiex/wmm.c
index 5dd0ccc70b86..13eaeed03898 100644
--- a/drivers/net/wireless/mwifiex/wmm.c
+++ b/drivers/net/wireless/mwifiex/wmm.c
@@ -722,6 +722,9 @@ int mwifiex_ret_wmm_get_status(struct mwifiex_private *priv,
 		tlv_hdr = (struct mwifiex_ie_types_data *) curr;
 		tlv_len = le16_to_cpu(tlv_hdr->header.len);
 
+		if (resp_len < tlv_len + sizeof(tlv_hdr->header))
+			break;
+
 		switch (le16_to_cpu(tlv_hdr->header.type)) {
 		case TLV_TYPE_WMMQSTATUS:
 			tlv_wmm_qstatus =
author	Dan Carpenter <dan.carpenter@oracle.com>	2013-10-22 15:24:42 -0700
committer	John W. Linville <linville@tuxdriver.com>	2013-11-11 14:38:56 -0500
commit	95edbc30db7882a45c4040747331cf613aa23c4a (patch)
tree	f3867f5c4caa148508daa7d725d84329486f1d1f
parent	3aef7dde8dcf09e0124f0a2665845a507331972b (diff)