On Mon, Sep 10, 2012 at 11:35:11AM +0100, David Vrabel wrote:
On 08/09/12 10:52, Dan Carpenter wrote:
If m.num is too large then the m.num * sizeof(*m.arr) multiplication
could overflow and the access_ok() check wouldn't test the right size.
m.num is range checked later on so it doesn't
On 08/09/12 10:52, Dan Carpenter wrote:
If m.num is too large then the m.num * sizeof(*m.arr) multiplication
could overflow and the access_ok() check wouldn't test the right size.
m.num is range checked later on so it doesn't matter that the
access_ok() checks might be wrong. A bit subtle,