From: Xi Wang Date: Wed, 30 Nov 2011 02:53:46 +0000 (-0500) Subject: staging: vt6656: integer overflows in private_ioctl() X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=201320435d017e8ebd449034547ef0518ec4d056;p=GitHub%2Fexynos8895%2Fandroid_kernel_samsung_universal8895.git staging: vt6656: integer overflows in private_ioctl() There are two potential integer overflows in private_ioctl() if userspace passes in a large sList.uItem / sNodeList.uItem. The subsequent call to kmalloc() would allocate a small buffer, leading to a memory corruption. Reported-by: Dan Rosenberg Signed-off-by: Xi Wang Signed-off-by: Greg Kroah-Hartman --- diff --git a/drivers/staging/vt6656/ioctl.c b/drivers/staging/vt6656/ioctl.c index 49390026dea3..1463d76895f0 100644 --- a/drivers/staging/vt6656/ioctl.c +++ b/drivers/staging/vt6656/ioctl.c @@ -295,6 +295,10 @@ int private_ioctl(PSDevice pDevice, struct ifreq *rq) result = -EFAULT; break; } + if (sList.uItem > (ULONG_MAX - sizeof(SBSSIDList)) / sizeof(SBSSIDItem)) { + result = -EINVAL; + break; + } pList = (PSBSSIDList)kmalloc(sizeof(SBSSIDList) + (sList.uItem * sizeof(SBSSIDItem)), (int)GFP_ATOMIC); if (pList == NULL) { result = -ENOMEM; @@ -557,6 +561,10 @@ int private_ioctl(PSDevice pDevice, struct ifreq *rq) result = -EFAULT; break; } + if (sNodeList.uItem > (ULONG_MAX - sizeof(SNodeList)) / sizeof(SNodeItem)) { + result = -ENOMEM; + break; + } pNodeList = (PSNodeList)kmalloc(sizeof(SNodeList) + (sNodeList.uItem * sizeof(SNodeItem)), (int)GFP_ATOMIC); if (pNodeList == NULL) { result = -ENOMEM;