The copy_to_user() that returns the subdevice 'maxdata_list' in this
function has the possibility of overflowing due to the calculation
of the size of the copy. In reality this should never happen but add
a sanity check just to be safe.
Reported-by: coverity (CID 143110)
Signed-off-by: H Hartley Sweeten <hsweeten@xxxxxxxxxxxxxxxxxxx>
Cc: Ian Abbott <abbotti@xxxxxxxxx>
Cc: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
drivers/staging/comedi/comedi_fops.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/drivers/staging/comedi/comedi_fops.c b/drivers/staging/comedi/comedi_fops.c
index 0e8a451..ad483e1 100644
--- a/drivers/staging/comedi/comedi_fops.c
+++ b/drivers/staging/comedi/comedi_fops.c
@@ -1061,6 +1061,14 @@ static int do_chaninfo_ioctl(struct comedi_device *dev,
if (it.maxdata_list) {
if (s->maxdata || !s->maxdata_list)
return -EINVAL;
+ /*
+ * s->n_chan is usually <= 32 but _some_ comedi drivers
+ * do have more. Do a simple sanity check to make sure
+ * copy_to_user() does not overflow. In reality this
+ * should never fail...
+ */
+ if (s->n_chan > (0xffffffff / sizeof(unsigned int)))
+ return -EINVAL;
if (copy_to_user(it.maxdata_list, s->maxdata_list,
s->n_chan * sizeof(unsigned int)))
return -EFAULT;
--
2.4.3
_______________________________________________
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxx
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
