Re: [PATCH] comedi: integer overflow in do_insnlist_ioctl()

Xi Wang Wed, 23 Nov 2011 08:49:34 -0800

Thanks for the pointer.  However you cannot do the overflow check using

  if (sizeof(struct comedi_insn) * insnlist.n_insns < insnlist.n_insns)


Let's assume 32-bit system, sizeof(struct comedi_insn) = 32, and
insnlist.n_insns = 0x7fffffff.

Note that 32 * 0x7fffffff = 0xffffffe0 overflows but bypasses your check.

- xi

On Wed, Nov 23, 2011 at 1:13 AM, Dan Carpenter <[email protected]> wrote:
> I sent a patch for this already.
>
> http://driverdev.linuxdriverproject.org/pipermail/devel/2011-November/022469.html
>
> regards,
> dan carpenter
>
>
>
_______________________________________________
devel mailing list
[email protected]
http://driverdev.linuxdriverproject.org/mailman/listinfo/devel

Re: [PATCH] comedi: integer overflow in do_insnlist_ioctl()

Reply via email to