On Thu, Jan 12, 2012 at 11:09:48AM +0000, Ian Abbott wrote: > There is a potential integer overflow in do_cmd_ioctl() and > do_cmdtest_ioctl() for the multiply operation when calculating the size > of the buffer to be allocated for the kernel copy of the chanlist. This > would result in kernel memory corruption. > > Use kcalloc() to check for buffer size overflow. >
Is this a Smatch fix? It's a false positive... Sorry for that.
This can't overflow. We check it earlier.
/* make sure channel/gain list isn't too long */
if (user_cmd.chanlist_len > s->len_chanlist) {
kcalloc() is a cleanup though, I suppose.
regards,
dan carpenter
signature.asc
Description: Digital signature
_______________________________________________ devel mailing list [email protected] http://driverdev.linuxdriverproject.org/mailman/listinfo/devel
