On Sat, Oct 20 2001, Ken Ashcraft wrote:
> ---------------------------------------------------------
> [BUG] needs upper bound
> /home/kash/linux/2.4.12/drivers/cdrom/cdrom.c:2019:mmc_ioctl: ERROR:RANGE:2012:2019: [LOOP] Looping on user length "nr" set by 'copy_from_user':2018 [linkages -> 2018:nr=nframes -> 2012:ra:start] [distance=26]
> lba = ra.addr.lba;
> else
> return -EINVAL;
>
> /* FIXME: we need upper bound checking, too!! */
> Start --->
> if (lba < 0 || ra.nframes <= 0)
> return -EINVAL;
>
> /*
> * start with will ra.nframes size, back down if alloc fails
> */
> nr = ra.nframes;
> Error --->
> do {
> cgc.buffer = kmalloc(CD_FRAMESIZE_RAW * nr, GFP_KERNEL);
> if (cgc.buffer)
> break;
Here's a fix for that. Linus, please apply.
-- Jens Axboe
This archive was generated by hypermail 2b29 : Tue Oct 23 2001 - 21:00:35 EST