From c0acfd122814c4bfdde5657a5161d5f2c43c8c0b Mon Sep 17 00:00:00 2001
From: four0four <galen@shellspace.net>
Date: Fri, 30 Oct 2020 00:22:18 -0700
Subject: [PATCH] [module] fix integer overflow in kvmfr_dmabuf_create

---
 module/dkms.conf | 2 +-
 module/kvmfr.c   | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/module/dkms.conf b/module/dkms.conf
index 7acc8c3e..46a965c3 100644
--- a/module/dkms.conf
+++ b/module/dkms.conf
@@ -1,5 +1,5 @@
 PACKAGE_NAME="kvmfr"
-PACKAGE_VERSION="0.0.3"
+PACKAGE_VERSION="0.0.4"
 BUILT_MODULE_NAME[0]="${PACKAGE_NAME}"
 MAKE[0]="make KDIR=${kernel_source_dir}"
 CLEAN="make KDIR=${kernel_source_dir} clean"
diff --git a/module/kvmfr.c b/module/kvmfr.c
index b258aabc..35dbf786 100644
--- a/module/kvmfr.c
+++ b/module/kvmfr.c
@@ -37,7 +37,7 @@ DEFINE_MUTEX(minor_lock);
 DEFINE_IDR(kvmfr_idr);
 
 #define KVMFR_UIO_NAME    "KVMFR"
-#define KVMFR_UIO_VER     "0.0.3"
+#define KVMFR_UIO_VER     "0.0.4"
 #define KVMFR_DEV_NAME    "kvmfr"
 #define KVMFR_MAX_DEVICES 10
 
@@ -171,7 +171,7 @@ static long kvmfr_dmabuf_create(struct kvmfr_dev * kdev, struct file * filp, uns
     return -EINVAL;
   }
 
-  if (create.offset + create.size > kdev->size)
+  if ((create.offset + create.size > kdev->size) || (create.offset + create.size < create.offset))
     return -EINVAL;
 
   kbuf = kzalloc(sizeof(struct kvmfrbuf), GFP_KERNEL);