From: Ian Abbott <abbotti@mev.co.uk>
Date: Mon, 7 Nov 2011 10:20:23 +0000 (+0000)
Subject: Check integer overflow in do_insnlist_ioctl()
X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=5c7eb2c3c8b0abaea8c6fd8b3d368ff0985da004;p=comedi.git

Check integer overflow in do_insnlist_ioctl()

Follow patch to "staging" comedi kernel sources by Dan Carpenter.

There is an integer overflow here that could cause memory corruption
on 32 bit systems.

insnlist.n_insns could be a very high value size calculation for
kmalloc() could overflow resulting in a smaller "insns" than
expected.  In the for (i = 0; i < insnlist.n_insns; i++) {... loop
we would read past the end of the buffer, possibly corrupting memory
as well.
---

diff --git a/comedi/comedi_fops.c b/comedi/comedi_fops.c
index 210eb416..97cd1d72 100644
--- a/comedi/comedi_fops.c
+++ b/comedi/comedi_fops.c
@@ -700,6 +700,12 @@ static int do_insnlist_ioctl(comedi_device * dev, void *arg, void *file)
 		goto error;
 	}
 
+	if (sizeof(comedi_insn) * insnlist.n_insns < insnlist.n_insns) {
+		DPRINTK("number of instructions too large\n");
+		ret = -EINVAL;
+		goto error;
+	}
+
 	insns = kmalloc(sizeof(comedi_insn) * insnlist.n_insns, GFP_KERNEL);
 	if (!insns) {
 		DPRINTK("kmalloc failed\n");