mei: fix possible integer overflow issue

There is a possible integer overflow following by a buffer overflow when accumulating messages coming from the FW to compose a full payload. Occurrence of wrap around has to be prevented for next message size calculation. For unsigned integer the addition overflow has occurred when the result is smaller than one of the arguments. To simplify the fix, the types of buf.size and buf_idx are set to the same width, namely size_t also to be aligned with the type of length parameter in file read/write ops. Signed-off-by: Tomas Winkler <tomas.winkler@intel.com> Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Tomas Winkler <tomas.winkler@intel.com> 2016-02-07 23:35:19 +0200
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2016-02-07 14:47:20 -0800
commit: f862b6b24f0ffd954633a55f39251a6873b664ca (patch)
tree: 7f23452860c79dc4fe8a8903b4d642eb8cd40213 /drivers/misc/mei/mei_dev.h
parent: 439a74b3373dab4214b4191d50dfb1d78be5b18e (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/drivers/misc/mei/mei_dev.h b/drivers/misc/mei/mei_dev.h
index da613268480c..9b793f87b7d4 100644
--- a/drivers/misc/mei/mei_dev.h
+++ b/drivers/misc/mei/mei_dev.h
@@ -126,7 +126,7 @@ enum mei_cb_file_ops {
  * Intel MEI message data struct
  */
 struct mei_msg_data {
-	u32 size;
+	size_t size;
 	unsigned char *data;
 };
 
@@ -190,7 +190,7 @@ struct mei_cl_cb {
 	struct mei_cl *cl;
 	enum mei_cb_file_ops fop_type;
 	struct mei_msg_data buf;
-	unsigned long buf_idx;
+	size_t buf_idx;
 	unsigned long read_time;
 	struct file *file_object;
 	int status;
author	Tomas Winkler <tomas.winkler@intel.com>	2016-02-07 23:35:19 +0200
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2016-02-07 14:47:20 -0800
commit	f862b6b24f0ffd954633a55f39251a6873b664ca (patch)
tree	7f23452860c79dc4fe8a8903b4d642eb8cd40213 /drivers/misc/mei/mei_dev.h
parent	439a74b3373dab4214b4191d50dfb1d78be5b18e (diff)