From: Dan Carpenter Date: Wed, 1 Apr 2015 08:12:15 +0000 (+0300) Subject: Staging: lustre: integer overflow in ioctl X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=faec8ab42b4a0f119a1cfbceef0c14b7b61059cb;p=GitHub%2FLineageOS%2FG12%2Fandroid_kernel_amlogic_linux-4.9.git Staging: lustre: integer overflow in ioctl hdr->ioc_len is a user controlled u32 so the addition can overflow, especially on 32 bit systems. Signed-off-by: Dan Carpenter Signed-off-by: Greg Kroah-Hartman --- diff --git a/drivers/staging/lustre/lustre/libcfs/linux/linux-module.c b/drivers/staging/lustre/lustre/libcfs/linux/linux-module.c index a5effcd9c679..e962f89683a6 100644 --- a/drivers/staging/lustre/lustre/libcfs/linux/linux-module.c +++ b/drivers/staging/lustre/lustre/libcfs/linux/linux-module.c @@ -57,7 +57,7 @@ int libcfs_ioctl_getdata(char *buf, char *end, void *arg) return -EINVAL; } - if (hdr->ioc_len + buf >= end) { + if (hdr->ioc_len >= end - buf) { CERROR("PORTALS: user buffer exceeds kernel buffer\n"); return -EINVAL; }