[PATCH] staging: comedi: Integer overflow in do_cmd_ioctl & do_cmdtest_ioctl.
Ian Abbott
abbotti at mev.co.uk
Fri Jan 13 10:26:13 UTC 2012
On 2012-01-13 08:37, Dan Carpenter wrote:
> On Thu, Jan 12, 2012 at 11:09:48AM +0000, Ian Abbott wrote:
>> There is a potential integer overflow in do_cmd_ioctl() and
>> do_cmdtest_ioctl() for the multiply operation when calculating the size
>> of the buffer to be allocated for the kernel copy of the chanlist. This
>> would result in kernel memory corruption.
>>
>> Use kcalloc() to check for buffer size overflow.
>>
>
> Is this a Smatch fix? It's a false positive... Sorry for that.
> This can't overflow. We check it earlier.
>
> /* make sure channel/gain list isn't too long */
> if (user_cmd.chanlist_len> s->len_chanlist) {
Yes you're right. Please ignore this patch.
--
-=( Ian Abbott @ MEV Ltd. E-mail: <abbotti at mev.co.uk> )=-
-=( Tel: +44 (0)161 477 1898 FAX: +44 (0)161 718 3587 )=-
More information about the devel
mailing list