Check integer overflow in do_cmd_ioctl() and do_cmdtest_ioctl().

Check for integer overflow when allocating buffer for channel list.

Signed-off-by: Ian Abbott <abbotti@mev.co.uk>

diff --git a/comedi/comedi_fops.c b/comedi/comedi_fops.c
index ed26d00113b7a79d3aed3f91f25a226d8e7691db..ff09458a704085af71ede960fae06854f0054f23 100644 (file)
--- a/comedi/comedi_fops.c
+++ b/comedi/comedi_fops.c
@@ -1122,8 +1122,12 @@ static int do_cmd_ioctl(comedi_device * dev, void *arg, void *file)
        async->cmd = user_cmd;
        async->cmd.data = NULL;
        /* load channel/gain list */
-       async->cmd.chanlist =
-               kmalloc(async->cmd.chanlist_len * sizeof(int), GFP_KERNEL);
+       if (async->cmd.chanlist_len <= ULONG_MAX / sizeof(int))
+               async->cmd.chanlist =
+                       kmalloc(async->cmd.chanlist_len * sizeof(int),
+                                       GFP_KERNEL);
+       else
+               async->cmd.chanlist = NULL;
        if (!async->cmd.chanlist) {
                DPRINTK("allocation failed\n");
                ret = -ENOMEM;
@@ -1252,9 +1256,10 @@ static int do_cmdtest_ioctl(comedi_device * dev, void *arg, void *file)
 
        /* load channel/gain list */
        if (user_cmd.chanlist) {
-               chanlist =
-                       kmalloc(user_cmd.chanlist_len * sizeof(int),
-                       GFP_KERNEL);
+               if (user_cmd.chanlist_len <= ULONG_MAX / sizeof(int))
+                       chanlist =
+                               kmalloc(user_cmd.chanlist_len * sizeof(int),
+                               GFP_KERNEL);
                if (!chanlist) {
                        DPRINTK("allocation failed\n");
                        ret = -ENOMEM;