Staging: comedi: fix integer overflow in do_insnlist_ioctl() There is a potential integer overflow in do_insnlist_ioctl() if userspace passes in a large insnlist.n_insns. The call to kmalloc() would allocate a small buffer, leading to a memory corruption. The bug was reported by Dan Carpenter <dan.carpenter@oracle.com> and Haogang Chen <haogangchen@gmail.com>. The patch was suggested by Ian Abbott <abbotti@mev.co.uk> and Lars-Peter Clausen <lars@metafoo.de>. Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Reported-by: Haogang Chen <haogangchen@gmail.com>. Cc: Ian Abbott <abbotti@mev.co.uk> Cc: Lars-Peter Clausen <lars@metafoo.de> Signed-off-by: Xi Wang <xi.wang@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

commit: dfd8ee92a9192d78aa38cf8699df3630a7c88c85 [log] [tgz]
author: Xi Wang <xi.wang@gmail.com> Fri Nov 25 16:46:51 2011 -0500
committer: Greg Kroah-Hartman <gregkh@suse.de> Mon Nov 28 04:38:45 2011 +0900
tree: 6d567e20e8bc4d185e402636d3a5b2ae84355114
parent: 06b446c8af5db5a98b2eaa30b513c79089ed254b [diff] [blame]
diff --git a/drivers/staging/comedi/comedi_fops.c b/drivers/staging/comedi/comedi_fops.c
index ebdcecd..5e78c77 100644
--- a/drivers/staging/comedi/comedi_fops.c
+++ b/drivers/staging/comedi/comedi_fops.c

@@ -671,7 +671,7 @@
 	}
 
 	insns =
-	    kmalloc(sizeof(struct comedi_insn) * insnlist.n_insns, GFP_KERNEL);
+	    kcalloc(insnlist.n_insns, sizeof(struct comedi_insn), GFP_KERNEL);
 	if (!insns) {
 		DPRINTK("kmalloc failed\n");
 		ret = -ENOMEM;
commit	dfd8ee92a9192d78aa38cf8699df3630a7c88c85	[log] [tgz]
author	Xi Wang <xi.wang@gmail.com>	Fri Nov 25 16:46:51 2011 -0500
committer	Greg Kroah-Hartman <gregkh@suse.de>	Mon Nov 28 04:38:45 2011 +0900
tree	6d567e20e8bc4d185e402636d3a5b2ae84355114
parent	06b446c8af5db5a98b2eaa30b513c79089ed254b [diff] [blame]