On a 32bit system the multiplication here could overflow. p->count is used in some of the V4L drivers. Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx> --- This is a patch against the 2.6.32-longterm kernel. In the stock kernel, this code was totally rewritten and fixed in 2010 by d14e6d76ebf "[media] v4l: Add multi-planar ioctl handling code". Hopefully, someone can Ack this and we merge it into the stable tree. diff --git a/drivers/media/video/v4l2-ioctl.c b/drivers/media/video/v4l2-ioctl.c index 265bfb5..7196303 100644 --- a/drivers/media/video/v4l2-ioctl.c +++ b/drivers/media/video/v4l2-ioctl.c @@ -414,6 +414,9 @@ video_usercopy(struct file *file, unsigned int cmd, unsigned long arg, p->error_idx = p->count; user_ptr = (void __user *)p->controls; if (p->count) { + err = -EINVAL; + if (p->count > ULONG_MAX / sizeof(struct v4l2_ext_control)) + goto out_ext_ctrl; ctrls_size = sizeof(struct v4l2_ext_control) * p->count; /* Note: v4l2_ext_controls fits in sbuf[] so mbuf is still NULL. */ mbuf = kmalloc(ctrls_size, GFP_KERNEL); @@ -1912,6 +1915,9 @@ long video_ioctl2(struct file *file, p->error_idx = p->count; user_ptr = (void __user *)p->controls; if (p->count) { + err = -EINVAL; + if (p->count > ULONG_MAX / sizeof(struct v4l2_ext_control)) + goto out_ext_ctrl; ctrls_size = sizeof(struct v4l2_ext_control) * p->count; /* Note: v4l2_ext_controls fits in sbuf[] so mbuf is still NULL. */ mbuf = kmalloc(ctrls_size, GFP_KERNEL); -- To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html