NFC: potential integer overflow problem in check_crc() If "buf[0]" is 255 then "len" gets set to 0. The call to "crc_ccitt(0xffff, buf, len - 2);" casts the "len - 2" to a high positive number which is ugly. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>

commit: 885ba1da689299ec52e646ca1a2429b8de55f364 [log] [tgz]
author: Dan Carpenter <dan.carpenter@oracle.com> Fri May 18 10:36:47 2012 +0300
committer: John W. Linville <linville@tuxdriver.com> Fri May 25 11:16:16 2012 -0400
tree: 14cda3eb36796e77510994306c73197f47a5ff16
parent: f380f2c4a12e913356bd49f8790ec1063c4fe9f8 [diff] [blame]
diff --git a/drivers/nfc/pn544_hci.c b/drivers/nfc/pn544_hci.c
index 46f4a9f..281f18c 100644
--- a/drivers/nfc/pn544_hci.c
+++ b/drivers/nfc/pn544_hci.c

@@ -232,7 +232,7 @@
 
 static int check_crc(u8 *buf, int buflen)
 {
-	u8 len;
+	int len;
 	u16 crc;
 
 	len = buf[0] + 1;
commit	885ba1da689299ec52e646ca1a2429b8de55f364	[log] [tgz]
author	Dan Carpenter <dan.carpenter@oracle.com>	Fri May 18 10:36:47 2012 +0300
committer	John W. Linville <linville@tuxdriver.com>	Fri May 25 11:16:16 2012 -0400
tree	14cda3eb36796e77510994306c73197f47a5ff16
parent	f380f2c4a12e913356bd49f8790ec1063c4fe9f8 [diff] [blame]