Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm / e384a41141949843899affcf51f4e6e646c1fe9f
commite384a41141949843899affcf51f4e6e646c1fe9f[log] [tgz]
authorDan Carpenter <dan.carpenter@oracle.com>Fri Nov 04 21:20:43 2011 +0300
committerGreg Kroah-Hartman <gregkh@suse.de>Sat Nov 26 18:34:15 2011 -0800
tree402bbdb1c4d89e0fb354d168da2ac56332ecfd79
parent6a9ce6b654e491981f6ef7e214cbd4f63e033848 [diff]
Staging: comedi: integer overflow in do_insnlist_ioctl()

There is an integer overflow here that could cause memory corruption
on 32 bit systems.

insnlist.n_insns could be a very high value size calculation for
kmalloc() could overflow resulting in a smaller "insns" than
expected.  In the for (i = 0; i < insnlist.n_insns; i++) {... loop
we would read past the end of the buffer, possibly corrupting memory
as well.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
1 file changed
tree: 402bbdb1c4d89e0fb354d168da2ac56332ecfd79
  1. arch/
  2. block/
  3. crypto/
  4. Documentation/
  5. drivers/
  6. firmware/
  7. fs/
  8. include/
  9. init/
  10. ipc/
  11. kernel/
  12. lib/
  13. mm/
  14. net/
  15. samples/
  16. scripts/
  17. security/
  18. sound/
  19. tools/
  20. usr/
  21. virt/
  22. .gitignore
  23. .mailmap
  24. COPYING
  25. CREDITS
  26. Kbuild
  27. Kconfig
  28. MAINTAINERS
  29. Makefile
  30. README
  31. REPORTING-BUGS