Check integer overflow in do_insnlist_ioctl()

Follow patch to "staging" comedi kernel sources by Dan Carpenter.

There is an integer overflow here that could cause memory corruption
on 32 bit systems.

insnlist.n_insns could be a very high value size calculation for
kmalloc() could overflow resulting in a smaller "insns" than
expected.  In the for (i = 0; i < insnlist.n_insns; i++) {... loop
we would read past the end of the buffer, possibly corrupting memory
as well.

diff --git a/comedi/comedi_fops.c b/comedi/comedi_fops.c
index 210eb416f6a03210edfa9b1fee22c093fdddc1e5..97cd1d72081d4103e51d894769c6ab699ee1dd63 100644 (file)
--- a/comedi/comedi_fops.c
+++ b/comedi/comedi_fops.c
@@ -700,6 +700,12 @@ static int do_insnlist_ioctl(comedi_device * dev, void *arg, void *file)
                goto error;
        }
 
+       if (sizeof(comedi_insn) * insnlist.n_insns < insnlist.n_insns) {
+               DPRINTK("number of instructions too large\n");
+               ret = -EINVAL;
+               goto error;
+       }
+
        insns = kmalloc(sizeof(comedi_insn) * insnlist.n_insns, GFP_KERNEL);
        if (!insns) {
                DPRINTK("kmalloc failed\n");