On 2011-11-23 14:50, Dan Carpenter wrote:
On Wed, Nov 23, 2011 at 08:59:52AM -0500, Xi Wang wrote:
Thanks for the pointer. However you cannot do the overflow check using
if (sizeof(struct comedi_insn) * insnlist.n_insns < insnlist.n_insns)
Let's assume 32-bit system, sizeof(struct comedi_insn) = 32, and
insnlist.n_insns = 0x7fffffff.
Note that 32 * 0x7fffffff = 0xffffffe0 overflows but bypasses your check.
Argh... You're right, my check is wrong. What I like about my patch
though is that it doesn't introduce an arbitrary limit. Could you
redo your check without the MAX_INSNS?
Could use something like:
if (insnlist.n_insns <= ULONG_MAX / sizeof(struct comedi_insn))
insns =
kmalloc(sizeof(struct comedi_insn) * insnlist.n_insns,
GFP_KERNEL);
if (!insns)
...
(note that insns is initialized to NULL).
--
-=( Ian Abbott @ MEV Ltd. E-mail: <abbotti@xxxxxxxxx> )=-
-=( Tel: +44 (0)161 477 1898 FAX: +44 (0)161 718 3587 )=-
_______________________________________________
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxx
http://driverdev.linuxdriverproject.org/mailman/listinfo/devel