NFC: potential integer overflow problem in check_crc()

If "buf[0]" is 255 then "len" gets set to 0. The call to "crc_ccitt(0xffff, buf, len - 2);" casts the "len - 2" to a high positive number which is ugly. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>

NFC: potential integer overflow problem in check_crc()
If "buf[0]" is 255 then "len" gets set to 0. The call to "crc_ccitt(0xffff, buf, len - 2);" casts the "len - 2" to a high positive number which is ugly. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
885ba1da · Dan Carpenter · John W. Linville · f380f2c4 · 885ba1da
Commit 885ba1da authored May 18, 2012 by Dan Carpenter Committed by John W. Linville May 25, 2012
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 1 deletion

drivers/nfc/pn544_hci.c drivers/nfc/pn544_hci.c +1 -1

No files found.
--- a/drivers/nfc/pn544_hci.c
+++ b/drivers/nfc/pn544_hci.c
@@ -232,7 +232,7 @@ static int pn544_hci_i2c_write(struct i2c_client *client, u8 *buf, int len)

 static int check_crc(u8 *buf, int buflen)
 {
-	u8 len;
+	int len;
 	u16 crc;

 	len = buf[0] + 1;