CHROMIUM: gobi: fix integer wraparound bug

All the sizes here are bounded on the wire by 16 bits, to switch to size_t and
check for wraparound more carefully.

BUG=chromium-os:38210
TEST=adhoc
build, boot, see if the gobi still shows up

Change-Id: I492e632722714b1a869929d03c33a4fc12995120
Signed-off-by: Elly Fong-Jones <ellyjones@chromium.org>
Reviewed-on: https://gerrit.chromium.org/gerrit/42559
Reviewed-by: Kees Cook <keescook@chromium.org>

diff --git a/drivers/net/usb/gobi/qmi.c b/drivers/net/usb/gobi/qmi.c
index 7293a044cfbd807c7703a75d709b9a042be22a91..32b3b654b306492f6857f3e21a0b88d3ab785c06 100644 (file)
--- a/drivers/net/usb/gobi/qmi.c
+++ b/drivers/net/usb/gobi/qmi.c
@@ -215,10 +215,10 @@ int qmux_fill(u16 cid, struct buffer *buf)
        return 0;
 }
 
-static int tlv_get(void *msg, u16 msgsize, u8 type, void *buf, u16 bufsize)
+static int tlv_get(void *msg, size_t msgsize, u8 type, void *buf, size_t bufsize)
 {
-       u16 pos;
-       u16 msize = 0;
+       size_t pos;
+       size_t msize = 0;
 
        BUG_ON(!msg || !buf);
 
@@ -230,11 +230,18 @@ static int tlv_get(void *msg, u16 msgsize, u8 type, void *buf, u16 bufsize)
 
                if (bufsize < msize) {
                        GOBI_ERROR("found type 0x%02x, "
-                           "but value too big (%d > %d)",
+                           "but value too big (%zu > %zu)",
                            type, msize, bufsize);
                        return -ENOMEM;
                }
 
+               /* loop is guarded by pos + 3 < msgsize */
+               if (msize > msgsize - (pos + 3)) {
+                       GOBI_ERROR("message field too long:"
+                                  "%zu + 3 + %zu > %zu", pos, msize, msgsize);
+                       return -ENOMEM;
+               }
+
                memcpy(buf, msg + pos + 3, msize);
 
                return msize;