[PATCH] staging: comedi: Integer overflow in do_cmd_ioctl & do_cmdtest_ioctl.

Ian Abbott abbotti at mev.co.uk
Fri Jan 13 10:26:13 UTC 2012


On 2012-01-13 08:37, Dan Carpenter wrote:
> On Thu, Jan 12, 2012 at 11:09:48AM +0000, Ian Abbott wrote:
>> There is a potential integer overflow in do_cmd_ioctl() and
>> do_cmdtest_ioctl() for the multiply operation when calculating the size
>> of the buffer to be allocated for the kernel copy of the chanlist.  This
>> would result in kernel memory corruption.
>>
>> Use kcalloc() to check for buffer size overflow.
>>
>
> Is this a Smatch fix?  It's a false positive...  Sorry for that.
> This can't overflow.  We check it earlier.
>
>          /* make sure channel/gain list isn't too long */
>          if (user_cmd.chanlist_len>  s->len_chanlist) {

Yes you're right.  Please ignore this patch.

-- 
-=( Ian Abbott @ MEV Ltd.    E-mail: <abbotti at mev.co.uk>        )=-
-=( Tel: +44 (0)161 477 1898   FAX: +44 (0)161 718 3587         )=-



More information about the devel mailing list