On 2012-01-13 08:37, Dan Carpenter wrote:
On Thu, Jan 12, 2012 at 11:09:48AM +0000, Ian Abbott wrote:
There is a potential integer overflow in do_cmd_ioctl() and
do_cmdtest_ioctl() for the multiply operation when calculating the size
of the buffer to be allocated for the kernel copy of the chanlist. This
would result in kernel memory corruption.
Use kcalloc() to check for buffer size overflow.
Is this a Smatch fix? It's a false positive... Sorry for that.
This can't overflow. We check it earlier.
/* make sure channel/gain list isn't too long */
if (user_cmd.chanlist_len> s->len_chanlist) {
Yes you're right. Please ignore this patch.
--
-=( Ian Abbott @ MEV Ltd. E-mail: <abbotti@xxxxxxxxx> )=-
-=( Tel: +44 (0)161 477 1898 FAX: +44 (0)161 718 3587 )=-
_______________________________________________
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxx
http://driverdev.linuxdriverproject.org/mailman/listinfo/devel
