leandrof/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Staging: comedi: integer overflow in do_insnlist_ioctl()

Browse Source 
There is an integer overflow here that could cause memory corruption
on 32 bit systems.

insnlist.n_insns could be a very high value size calculation for
kmalloc() could overflow resulting in a smaller "insns" than
expected.  In the for (i = 0; i < insnlist.n_insns; i++) {... loop
we would read past the end of the buffer, possibly corrupting memory
as well.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
This commit is contained in:
Dan Carpenter 2011-11-04 21:20:43 +03:00 committed by Greg Kroah-Hartman
parent 6a9ce6b654
commit e384a41141
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
drivers/staging/comedi/comedi_fops.c
View File

@ -670,6 +670,11 @@ static int do_insnlist_ioctl(struct comedi_device *dev,
goto error;
}
if (sizeof(struct comedi_insn) * insnlist.n_insns < insnlist.n_insns) {
ret = -EINVAL;
goto error;
}
insns =
kmalloc(sizeof(struct comedi_insn) * insnlist.n_insns, GFP_KERNEL);
if (!insns) {