summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDan Carpenter <dan.carpenter@oracle.com>2012-05-18 10:36:47 +0300
committerJohn W. Linville <linville@tuxdriver.com>2012-05-25 11:16:16 -0400
commit885ba1da689299ec52e646ca1a2429b8de55f364 (patch)
tree14cda3eb36796e77510994306c73197f47a5ff16
parentf380f2c4a12e913356bd49f8790ec1063c4fe9f8 (diff)
NFC: potential integer overflow problem in check_crc()
If "buf[0]" is 255 then "len" gets set to 0. The call to "crc_ccitt(0xffff, buf, len - 2);" casts the "len - 2" to a high positive number which is ugly. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
-rw-r--r--drivers/nfc/pn544_hci.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/nfc/pn544_hci.c b/drivers/nfc/pn544_hci.c
index 46f4a9f9f5e4..281f18c2fb82 100644
--- a/drivers/nfc/pn544_hci.c
+++ b/drivers/nfc/pn544_hci.c
@@ -232,7 +232,7 @@ static int pn544_hci_i2c_write(struct i2c_client *client, u8 *buf, int len)
static int check_crc(u8 *buf, int buflen)
{
- u8 len;
+ int len;
u16 crc;
len = buf[0] + 1;