On Wed, Nov 30, 2011 at 09:25:21AM -0500, Xi Wang wrote: > There are two potential integer overflows in private_ioctl() if > userspace passes in a large sList.uItem / sNodeList.uItem. The > subsequent call to kmalloc() would allocate a small buffer, leading > to a memory corruption. > > Reported-by: Dan Rosenberg <[email protected]> > Signed-off-by: Xi Wang <[email protected]> > --- > drivers/staging/vt6656/ioctl.c | 8 ++++++++ > 1 files changed, 8 insertions(+), 0 deletions(-) > > diff --git a/drivers/staging/vt6656/ioctl.c b/drivers/staging/vt6656/ioctl.c > index 4939002..1463d76 100644 > --- a/drivers/staging/vt6656/ioctl.c > +++ b/drivers/staging/vt6656/ioctl.c > @@ -295,6 +295,10 @@ int private_ioctl(PSDevice pDevice, struct ifreq *rq) > result = -EFAULT; > break; > } > + if (sList.uItem > (ULONG_MAX - sizeof(SBSSIDList)) / > sizeof(SBSSIDItem)) {
It doesn't actually matter because sizeof(SBSSIDList) is just 4 but
normally you would do the math different.
if (sList.uItem > ULONG_MAX / sizeof(SBSSIDItem) -
sizeof(SBSSIDList)) {
But both checks are low enough in this case.
> + result = -EINVAL;
> + break;
> + }
> pList = (PSBSSIDList)kmalloc(sizeof(SBSSIDList) + (sList.uItem
> * sizeof(SBSSIDItem)), (int)GFP_ATOMIC);
> if (pList == NULL) {
> result = -ENOMEM;
regards,
dan carpenter
signature.asc
Description: Digital signature
_______________________________________________ devel mailing list [email protected] http://driverdev.linuxdriverproject.org/mailman/listinfo/devel
