On Thu, Jan 12, 2012 at 11:09:48AM +0000, Ian Abbott wrote:
> There is a potential integer overflow in do_cmd_ioctl() and
> do_cmdtest_ioctl() for the multiply operation when calculating the size
> of the buffer to be allocated for the kernel copy of the chanlist. This
> would result in kernel memory corruption.
>
> Use kcalloc() to check for buffer size overflow.
>
Is this a Smatch fix? It's a false positive... Sorry for that.
This can't overflow. We check it earlier.
/* make sure channel/gain list isn't too long */
if (user_cmd.chanlist_len > s->len_chanlist) {
kcalloc() is a cleanup though, I suppose.
regards,
dan carpenter
Attachment:
signature.asc
Description: Digital signature
_______________________________________________ devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxx http://driverdev.linuxdriverproject.org/mailman/listinfo/devel
