Re: [PATCH] comedi: integer overflow in do_insnlist_ioctl()

[Xi Wang]

Thanks for the pointer.  However you cannot do the overflow check using

  if (sizeof(struct comedi_insn) * insnlist.n_insns < insnlist.n_insns)

Let's assume 32-bit system, sizeof(struct comedi_insn) = 32, and
insnlist.n_insns = 0x7fffffff.

Note that 32 * 0x7fffffff = 0xffffffe0 overflows but bypasses your check.

- xi

On Wed, Nov 23, 2011 at 1:13 AM, Dan Carpenter <dan.carpenter@xxxxxxxxxx> wrote:
> I sent a patch for this already.
>
> http://driverdev.linuxdriverproject.org/pipermail/devel/2011-November/022469.html
>
> regards,
> dan carpenter
>
>
>
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/