[PATCH] comedi: integer overflow in do_insnlist_ioctl()
Dan Carpenter
dan.carpenter at oracle.com
Wed Nov 23 14:50:20 UTC 2011
On Wed, Nov 23, 2011 at 08:59:52AM -0500, Xi Wang wrote:
> Thanks for the pointer. However you cannot do the overflow check using
>
> if (sizeof(struct comedi_insn) * insnlist.n_insns < insnlist.n_insns)
>
> Let's assume 32-bit system, sizeof(struct comedi_insn) = 32, and
> insnlist.n_insns = 0x7fffffff.
>
> Note that 32 * 0x7fffffff = 0xffffffe0 overflows but bypasses your check.
>
Argh... You're right, my check is wrong. What I like about my patch
though is that it doesn't introduce an arbitrary limit. Could you
redo your check without the MAX_INSNS?
regards,
dan carpenter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://driverdev.linuxdriverproject.org/pipermail/driverdev-devel/attachments/20111123/1a2c6912/attachment.asc>
More information about the devel
mailing list