There is a potential integer overflow in do_cmd_ioctl() and
do_cmdtest_ioctl() for the multiply operation when calculating the size
of the buffer to be allocated for the kernel copy of the chanlist. This
would result in kernel memory corruption.
Use kcalloc() to check for buffer size overflow.
Signed-off-by: Ian Abbott <abbotti@xxxxxxxxx>
---
drivers/staging/comedi/comedi_fops.c | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/staging/comedi/comedi_fops.c b/drivers/staging/comedi/comedi_fops.c
index 5e78c77..2f5617d 100644
--- a/drivers/staging/comedi/comedi_fops.c
+++ b/drivers/staging/comedi/comedi_fops.c
@@ -1093,7 +1093,7 @@ static int do_cmd_ioctl(struct comedi_device *dev,
async->cmd.data = NULL;
/* load channel/gain list */
async->cmd.chanlist =
- kmalloc(async->cmd.chanlist_len * sizeof(int), GFP_KERNEL);
+ kcalloc(async->cmd.chanlist_len, sizeof(int), GFP_KERNEL);
if (!async->cmd.chanlist) {
DPRINTK("allocation failed\n");
ret = -ENOMEM;
@@ -1218,7 +1218,7 @@ static int do_cmdtest_ioctl(struct comedi_device *dev,
/* load channel/gain list */
if (user_cmd.chanlist) {
chanlist =
- kmalloc(user_cmd.chanlist_len * sizeof(int), GFP_KERNEL);
+ kcalloc(user_cmd.chanlist_len, sizeof(int), GFP_KERNEL);
if (!chanlist) {
DPRINTK("allocation failed\n");
ret = -ENOMEM;
--
1.7.8.2
_______________________________________________
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxx
http://driverdev.linuxdriverproject.org/mailman/listinfo/devel
