Skip to content
Commit dfd8ee92 authored by Xi Wang's avatar Xi Wang Committed by Greg Kroah-Hartman
Browse files

Staging: comedi: fix integer overflow in do_insnlist_ioctl()



There is a potential integer overflow in do_insnlist_ioctl() if
userspace passes in a large insnlist.n_insns.  The call to kmalloc()
would allocate a small buffer, leading to a memory corruption.

The bug was reported by Dan Carpenter <dan.carpenter@oracle.com>
and Haogang Chen <haogangchen@gmail.com>.  The patch was suggested by
Ian Abbott <abbotti@mev.co.uk> and Lars-Peter Clausen <lars@metafoo.de>.

Reported-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Reported-by: default avatarHaogang Chen <haogangchen@gmail.com&gt;.>
Cc: Ian Abbott <abbotti@mev.co.uk>
Cc: Lars-Peter Clausen <lars@metafoo.de>
Signed-off-by: default avatarXi Wang <xi.wang@gmail.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
parent 06b446c8
Loading
Loading
Loading
Loading
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment