From: Ian Abbott <abbotti@mev.co.uk>
Date: Wed, 23 Nov 2011 15:28:57 +0000 (+0000)
Subject: Check integer overflow in do_cmd_ioctl() and do_cmdtest_ioctl().
X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=824ffcaf3a1bd55a111ed67cf5b0cb3cd18b405f;p=comedi.git

Check integer overflow in do_cmd_ioctl() and do_cmdtest_ioctl().

Check for integer overflow when allocating buffer for channel list.

Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
---

diff --git a/comedi/comedi_fops.c b/comedi/comedi_fops.c
index ed26d001..ff09458a 100644
--- a/comedi/comedi_fops.c
+++ b/comedi/comedi_fops.c
@@ -1122,8 +1122,12 @@ static int do_cmd_ioctl(comedi_device * dev, void *arg, void *file)
 	async->cmd = user_cmd;
 	async->cmd.data = NULL;
 	/* load channel/gain list */
-	async->cmd.chanlist =
-		kmalloc(async->cmd.chanlist_len * sizeof(int), GFP_KERNEL);
+	if (async->cmd.chanlist_len <= ULONG_MAX / sizeof(int))
+		async->cmd.chanlist =
+			kmalloc(async->cmd.chanlist_len * sizeof(int),
+					GFP_KERNEL);
+	else
+		async->cmd.chanlist = NULL;
 	if (!async->cmd.chanlist) {
 		DPRINTK("allocation failed\n");
 		ret = -ENOMEM;
@@ -1252,9 +1256,10 @@ static int do_cmdtest_ioctl(comedi_device * dev, void *arg, void *file)
 
 	/* load channel/gain list */
 	if (user_cmd.chanlist) {
-		chanlist =
-			kmalloc(user_cmd.chanlist_len * sizeof(int),
-			GFP_KERNEL);
+		if (user_cmd.chanlist_len <= ULONG_MAX / sizeof(int))
+			chanlist =
+				kmalloc(user_cmd.chanlist_len * sizeof(int),
+				GFP_KERNEL);
 		if (!chanlist) {
 			DPRINTK("allocation failed\n");
 			ret = -ENOMEM;