diff options
author | Dan Carpenter <dan.carpenter@oracle.com> | 2011-11-04 14:20:43 -0400 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@suse.de> | 2011-11-26 21:34:15 -0500 |
commit | e384a41141949843899affcf51f4e6e646c1fe9f (patch) | |
tree | 402bbdb1c4d89e0fb354d168da2ac56332ecfd79 | |
parent | 6a9ce6b654e491981f6ef7e214cbd4f63e033848 (diff) |
Staging: comedi: integer overflow in do_insnlist_ioctl()
There is an integer overflow here that could cause memory corruption
on 32 bit systems.
insnlist.n_insns could be a very high value size calculation for
kmalloc() could overflow resulting in a smaller "insns" than
expected. In the for (i = 0; i < insnlist.n_insns; i++) {... loop
we would read past the end of the buffer, possibly corrupting memory
as well.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-rw-r--r-- | drivers/staging/comedi/comedi_fops.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/drivers/staging/comedi/comedi_fops.c b/drivers/staging/comedi/comedi_fops.c index ebdcecda3583..ed4853f194c4 100644 --- a/drivers/staging/comedi/comedi_fops.c +++ b/drivers/staging/comedi/comedi_fops.c | |||
@@ -670,6 +670,11 @@ static int do_insnlist_ioctl(struct comedi_device *dev, | |||
670 | goto error; | 670 | goto error; |
671 | } | 671 | } |
672 | 672 | ||
673 | if (sizeof(struct comedi_insn) * insnlist.n_insns < insnlist.n_insns) { | ||
674 | ret = -EINVAL; | ||
675 | goto error; | ||
676 | } | ||
677 | |||
673 | insns = | 678 | insns = |
674 | kmalloc(sizeof(struct comedi_insn) * insnlist.n_insns, GFP_KERNEL); | 679 | kmalloc(sizeof(struct comedi_insn) * insnlist.n_insns, GFP_KERNEL); |
675 | if (!insns) { | 680 | if (!insns) { |