There is a potential integer overflow in do_cmd_ioctl() and do_cmdtest_ioctl() for the multiply operation when calculating the size of the buffer to be allocated for the kernel copy of the chanlist. This would result in kernel memory corruption.
Use kcalloc() to check for buffer size overflow. Signed-off-by: Ian Abbott <[email protected]> --- drivers/staging/comedi/comedi_fops.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/staging/comedi/comedi_fops.c b/drivers/staging/comedi/comedi_fops.c index 5e78c77..2f5617d 100644 --- a/drivers/staging/comedi/comedi_fops.c +++ b/drivers/staging/comedi/comedi_fops.c @@ -1093,7 +1093,7 @@ static int do_cmd_ioctl(struct comedi_device *dev, async->cmd.data = NULL; /* load channel/gain list */ async->cmd.chanlist = - kmalloc(async->cmd.chanlist_len * sizeof(int), GFP_KERNEL); + kcalloc(async->cmd.chanlist_len, sizeof(int), GFP_KERNEL); if (!async->cmd.chanlist) { DPRINTK("allocation failed\n"); ret = -ENOMEM; @@ -1218,7 +1218,7 @@ static int do_cmdtest_ioctl(struct comedi_device *dev, /* load channel/gain list */ if (user_cmd.chanlist) { chanlist = - kmalloc(user_cmd.chanlist_len * sizeof(int), GFP_KERNEL); + kcalloc(user_cmd.chanlist_len, sizeof(int), GFP_KERNEL); if (!chanlist) { DPRINTK("allocation failed\n"); ret = -ENOMEM; -- 1.7.8.2 _______________________________________________ devel mailing list [email protected] http://driverdev.linuxdriverproject.org/mailman/listinfo/devel
