linux/drivers/staging/comedi
Xi Wang dfd8ee92a9 Staging: comedi: fix integer overflow in do_insnlist_ioctl()
There is a potential integer overflow in do_insnlist_ioctl() if
userspace passes in a large insnlist.n_insns.  The call to kmalloc()
would allocate a small buffer, leading to a memory corruption.

The bug was reported by Dan Carpenter <dan.carpenter@oracle.com>
and Haogang Chen <haogangchen@gmail.com>.  The patch was suggested by
Ian Abbott <abbotti@mev.co.uk> and Lars-Peter Clausen <lars@metafoo.de>.

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Reported-by: Haogang Chen <haogangchen@gmail.com>.
Cc: Ian Abbott <abbotti@mev.co.uk>
Cc: Lars-Peter Clausen <lars@metafoo.de>
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2011-11-28 04:38:45 +09:00
..
drivers staging: comedi: usbduxsigma: Fixed wrong range for the analogue channel. 2011-11-26 18:34:14 -08:00
kcomedilib Staging: comedi: kcomedilib: fix coding style issues in kcomedilib_main.c 2010-07-08 13:15:16 -07:00
Kconfig staging: comedi: new driver usbduxsigma 2011-08-23 12:00:45 -07:00
Makefile Staging: comedi: Makefile: replace the use of <module>-objs with <module>-y 2010-10-08 07:23:52 -07:00
TODO Staging: comedi: Remove typedefs 2010-06-17 13:49:07 -07:00
comedi.h staging: comedi: fixed a declaration coding style issue 2011-06-28 13:23:56 -07:00
comedi_compat32.c Staging: comedi: range.c: properly mark up __user pointers 2010-05-11 11:36:03 -07:00
comedi_compat32.h Staging: comedi: remove check for HAVE_COMPAT_IOCTL 2009-12-11 12:23:01 -08:00
comedi_fops.c Staging: comedi: fix integer overflow in do_insnlist_ioctl() 2011-11-28 04:38:45 +09:00
comedi_fops.h Staging: comedi: fix up remaining coding style issue in proc.c 2010-05-11 11:35:58 -07:00
comedidev.h staging: comedi: remove COMEDI_DEVICE_CREATE macro, expand all callers 2011-07-06 08:22:49 -07:00
comedilib.h Staging: comedi: kcomedilib: make it typesafe 2010-05-11 11:36:02 -07:00
drivers.c Staging: comedi: drivers.c: fix PAGE_KERNEL_NOCACHE issue 2011-06-09 12:13:53 -07:00
internal.h Staging: comedi: drivers.c sparse cleanup 2010-05-11 11:36:03 -07:00
proc.c Staging: comedi: clean up sparse issues in proc.c 2010-05-11 11:36:03 -07:00
range.c Staging: comedi: range.c: properly mark up __user pointers 2010-05-11 11:36:03 -07:00