diff options
author | Xi Wang <xi.wang@gmail.com> | 2011-11-25 16:46:51 -0500 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@suse.de> | 2011-11-28 04:38:45 +0900 |
commit | dfd8ee92a9192d78aa38cf8699df3630a7c88c85 (patch) | |
tree | 6d567e20e8bc4d185e402636d3a5b2ae84355114 | |
parent | 06b446c8af5db5a98b2eaa30b513c79089ed254b (diff) |
Staging: comedi: fix integer overflow in do_insnlist_ioctl()
There is a potential integer overflow in do_insnlist_ioctl() if
userspace passes in a large insnlist.n_insns. The call to kmalloc()
would allocate a small buffer, leading to a memory corruption.
The bug was reported by Dan Carpenter <dan.carpenter@oracle.com>
and Haogang Chen <haogangchen@gmail.com>. The patch was suggested by
Ian Abbott <abbotti@mev.co.uk> and Lars-Peter Clausen <lars@metafoo.de>.
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Reported-by: Haogang Chen <haogangchen@gmail.com>.
Cc: Ian Abbott <abbotti@mev.co.uk>
Cc: Lars-Peter Clausen <lars@metafoo.de>
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-rw-r--r-- | drivers/staging/comedi/comedi_fops.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/staging/comedi/comedi_fops.c b/drivers/staging/comedi/comedi_fops.c index ebdcecda3583..5e78c77d5a08 100644 --- a/drivers/staging/comedi/comedi_fops.c +++ b/drivers/staging/comedi/comedi_fops.c @@ -671,7 +671,7 @@ static int do_insnlist_ioctl(struct comedi_device *dev, } insns = - kmalloc(sizeof(struct comedi_insn) * insnlist.n_insns, GFP_KERNEL); + kcalloc(insnlist.n_insns, sizeof(struct comedi_insn), GFP_KERNEL); if (!insns) { DPRINTK("kmalloc failed\n"); ret = -ENOMEM; |