diff options
author | Xi Wang <xi.wang@gmail.com> | 2011-11-29 21:53:46 -0500 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@suse.de> | 2011-11-30 05:29:40 -0500 |
commit | 201320435d017e8ebd449034547ef0518ec4d056 (patch) | |
tree | 28d3e3eb643611d1ff8c240baf9f46d40d6a4693 /drivers/staging/vt6656/ioctl.c | |
parent | 2a58b19fd97c7368c03c027419a2aeb26313adad (diff) |
staging: vt6656: integer overflows in private_ioctl()
There are two potential integer overflows in private_ioctl() if
userspace passes in a large sList.uItem / sNodeList.uItem. The
subsequent call to kmalloc() would allocate a small buffer, leading
to a memory corruption.
Reported-by: Dan Rosenberg <drosenberg@vsecurity.com>
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Diffstat (limited to 'drivers/staging/vt6656/ioctl.c')
-rw-r--r-- | drivers/staging/vt6656/ioctl.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/drivers/staging/vt6656/ioctl.c b/drivers/staging/vt6656/ioctl.c index 49390026dea..1463d76895f 100644 --- a/drivers/staging/vt6656/ioctl.c +++ b/drivers/staging/vt6656/ioctl.c | |||
@@ -295,6 +295,10 @@ int private_ioctl(PSDevice pDevice, struct ifreq *rq) | |||
295 | result = -EFAULT; | 295 | result = -EFAULT; |
296 | break; | 296 | break; |
297 | } | 297 | } |
298 | if (sList.uItem > (ULONG_MAX - sizeof(SBSSIDList)) / sizeof(SBSSIDItem)) { | ||
299 | result = -EINVAL; | ||
300 | break; | ||
301 | } | ||
298 | pList = (PSBSSIDList)kmalloc(sizeof(SBSSIDList) + (sList.uItem * sizeof(SBSSIDItem)), (int)GFP_ATOMIC); | 302 | pList = (PSBSSIDList)kmalloc(sizeof(SBSSIDList) + (sList.uItem * sizeof(SBSSIDItem)), (int)GFP_ATOMIC); |
299 | if (pList == NULL) { | 303 | if (pList == NULL) { |
300 | result = -ENOMEM; | 304 | result = -ENOMEM; |
@@ -557,6 +561,10 @@ int private_ioctl(PSDevice pDevice, struct ifreq *rq) | |||
557 | result = -EFAULT; | 561 | result = -EFAULT; |
558 | break; | 562 | break; |
559 | } | 563 | } |
564 | if (sNodeList.uItem > (ULONG_MAX - sizeof(SNodeList)) / sizeof(SNodeItem)) { | ||
565 | result = -ENOMEM; | ||
566 | break; | ||
567 | } | ||
560 | pNodeList = (PSNodeList)kmalloc(sizeof(SNodeList) + (sNodeList.uItem * sizeof(SNodeItem)), (int)GFP_ATOMIC); | 568 | pNodeList = (PSNodeList)kmalloc(sizeof(SNodeList) + (sNodeList.uItem * sizeof(SNodeItem)), (int)GFP_ATOMIC); |
561 | if (pNodeList == NULL) { | 569 | if (pNodeList == NULL) { |
562 | result = -ENOMEM; | 570 | result = -ENOMEM; |