On Saturday 01 April 2006 04:35, Mitchell Blank Jr wrote: > * I also changed "size" to be unsigned since that makes more sense and > is less prone to overflow bugs. I'm also a little scared by the > "kmalloc(6 * size)" since that type of call is a classic multiply-overflow > security hole (hence libc's calloc() API). However "size" is constrained > by fdt->max_fdset so I think it isn't exploitable. The kernel doesn't > have an overflow-safe API for kmalloc'ing arrays, does it? kcalloc. But it's slow since it memsets. -Andi - : send the line "unsubscribe linux-ia64" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
|