Staging: comedi: integer overflow in do_insnlist_ioctl()

There is an integer overflow here that could cause memory corruption on 32 bit systems. insnlist.n_insns could be a very high value size calculation for kmalloc() could overflow resulting in a smaller "insns" than expected. In the for (i = 0; i < insnlist.n_insns; i++) {... loop we would read past the end of the buffer, possibly corrupting memory as well. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

Staging: comedi: integer overflow in do_insnlist_ioctl()
There is an integer overflow here that could cause memory corruption on 32 bit systems. insnlist.n_insns could be a very high value size calculation for kmalloc() could overflow resulting in a smaller "insns" than expected. In the for (i = 0; i < insnlist.n_insns; i++) {... loop we would read past the end of the buffer, possibly corrupting memory as well. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
e384a411 · Dan Carpenter · Greg Kroah-Hartman · 6a9ce6b6 · e384a411
Commit e384a411 authored Nov 04, 2011 by Dan Carpenter Committed by Greg Kroah-Hartman Nov 26, 2011
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 0 deletions

drivers/staging/comedi/comedi_fops.c drivers/staging/comedi/comedi_fops.c +5 -0

No files found.
--- a/drivers/staging/comedi/comedi_fops.c
+++ b/drivers/staging/comedi/comedi_fops.c
@@ -670,6 +670,11 @@ static int do_insnlist_ioctl(struct comedi_device *dev,
 		goto error;
 	}
+	if (sizeof(struct comedi_insn) * insnlist.n_insns < insnlist.n_insns) {
+		ret = -EINVAL;
+		goto error;
+	}
 	insns =
 	    kmalloc(sizeof(struct comedi_insn) * insnlist.n_insns, GFP_KERNEL);
 	if (!insns) {