On 11/23/2011 05:06 PM, Ian Abbott wrote: > On 2011-11-23 14:50, Dan Carpenter wrote: >> On Wed, Nov 23, 2011 at 08:59:52AM -0500, Xi Wang wrote: >>> Thanks for the pointer. However you cannot do the overflow check using >>> >>> if (sizeof(struct comedi_insn) * insnlist.n_insns < >>> insnlist.n_insns) >>> >>> Let's assume 32-bit system, sizeof(struct comedi_insn) = 32, and >>> insnlist.n_insns = 0x7fffffff. >>> >>> Note that 32 * 0x7fffffff = 0xffffffe0 overflows but bypasses your >>> check. >>> >> >> Argh... You're right, my check is wrong. What I like about my patch >> though is that it doesn't introduce an arbitrary limit. Could you >> redo your check without the MAX_INSNS? > > Could use something like: > > if (insnlist.n_insns <= ULONG_MAX / sizeof(struct comedi_insn)) > insns = > kmalloc(sizeof(struct comedi_insn) * insnlist.n_insns, > GFP_KERNEL); > if (!insns) > ... > > (note that insns is initialized to NULL). > Just use kcalloc, it will do the right thing for you. - Lars _______________________________________________ devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxx http://driverdev.linuxdriverproject.org/mailman/listinfo/devel
