From ee2104ea865f8a12eebb382aa502f248e14a5a2d Mon Sep 17 00:00:00 2001
From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Mon, 17 Feb 2014 22:57:31 +0300
Subject: [PATCH] staging/bcm: integer underflow leads to Oom

We do:

        if (NOB > DEFAULT_BUFF_SIZE)
                BuffSize = DEFAULT_BUFF_SIZE;
        else
                BuffSize = NOB;

Since NOB can be negative it results in a larger than intended BuffSize
and makes kzalloc() fail.

The code is still a bit crap because it lets the users read as much as
they want from nvram, but I don't know what a sensible upper limit
should be.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/staging/bcm/Bcmchar.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/staging/bcm/Bcmchar.c b/drivers/staging/bcm/Bcmchar.c
index 6f1997dc44c8..5e4dfe031040 100644
--- a/drivers/staging/bcm/Bcmchar.c
+++ b/drivers/staging/bcm/Bcmchar.c
@@ -1894,7 +1894,7 @@ static int bcm_char_ioctl_nvm_raw_read(void __user *argp, struct bcm_mini_adapte
 {
 	struct bcm_nvm_readwrite stNVMRead;
 	struct bcm_ioctl_buffer IoBuffer;
-	INT NOB;
+	unsigned int NOB;
 	INT BuffSize;
 	INT ReadOffset = 0;
 	UINT ReadBytes = 0;
-- 
2.11.0