summaryrefslogtreecommitdiff
path: root/drivers/staging
diff options
context:
space:
mode:
authorDan Carpenter <dan.carpenter@oracle.com>2011-11-04 21:20:43 +0300
committerGreg Kroah-Hartman <gregkh@suse.de>2011-11-26 18:34:15 -0800
commite384a41141949843899affcf51f4e6e646c1fe9f (patch)
tree402bbdb1c4d89e0fb354d168da2ac56332ecfd79 /drivers/staging
parent6a9ce6b654e491981f6ef7e214cbd4f63e033848 (diff)
Staging: comedi: integer overflow in do_insnlist_ioctl()
There is an integer overflow here that could cause memory corruption on 32 bit systems. insnlist.n_insns could be a very high value size calculation for kmalloc() could overflow resulting in a smaller "insns" than expected. In the for (i = 0; i < insnlist.n_insns; i++) {... loop we would read past the end of the buffer, possibly corrupting memory as well. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Diffstat (limited to 'drivers/staging')
-rw-r--r--drivers/staging/comedi/comedi_fops.c5
1 files changed, 5 insertions, 0 deletions
diff --git a/drivers/staging/comedi/comedi_fops.c b/drivers/staging/comedi/comedi_fops.c
index ebdcecda3583..ed4853f194c4 100644
--- a/drivers/staging/comedi/comedi_fops.c
+++ b/drivers/staging/comedi/comedi_fops.c
@@ -670,6 +670,11 @@ static int do_insnlist_ioctl(struct comedi_device *dev,
goto error;
}
+ if (sizeof(struct comedi_insn) * insnlist.n_insns < insnlist.n_insns) {
+ ret = -EINVAL;
+ goto error;
+ }
+
insns =
kmalloc(sizeof(struct comedi_insn) * insnlist.n_insns, GFP_KERNEL);
if (!insns) {