USB: cxacru: potential underflow in cxacru_cm_get_array()

commit 2a0ebf80aa95cc758d4725f74a7016e992606a39 upstream. The value of "offd" comes off the instance->rcv_buf[] and we used it as the offset into an array. The problem is that we check the upper bound but not for negative values. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Dan Carpenter <dan.carpenter@oracle.com> 2013-05-19 21:52:20 +0300
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2013-06-07 12:49:11 -0700
commit: fcaa80f4f20519ee7d432d727b375e7a181e6a50 (patch)
tree: 097548e8714ab85fb9d55b4364194a15f8c127ec
parent: dc8e739467bb6552d5e8325d5f32e356f48da3b6 (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/drivers/usb/atm/cxacru.c b/drivers/usb/atm/cxacru.c
index 98b89fe1986..c8dbb970c08 100644
--- a/drivers/usb/atm/cxacru.c
+++ b/drivers/usb/atm/cxacru.c
@@ -686,7 +686,8 @@ static int cxacru_cm_get_array(struct cxacru_data *instance, enum cxacru_cm_requ
 {
 	int ret, len;
 	__le32 *buf;
-	int offb, offd;
+	int offb;
+	unsigned int offd;
 	const int stride = CMD_PACKET_SIZE / (4 * 2) - 1;
 	int buflen =  ((size - 1) / stride + 1 + size * 2) * 4;
author	Dan Carpenter <dan.carpenter@oracle.com>	2013-05-19 21:52:20 +0300
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2013-06-07 12:49:11 -0700
commit	fcaa80f4f20519ee7d432d727b375e7a181e6a50 (patch)
tree	097548e8714ab85fb9d55b4364194a15f8c127ec
parent	dc8e739467bb6552d5e8325d5f32e356f48da3b6 (diff)