staging: vt6655: integer overflows in private_ioctl()
There are two potential integer overflows in private_ioctl() if userspace passes in a large sList.uItem / sNodeList.uItem. The subsequent call to kmalloc() would allocate a small buffer, leading to a memory corruption. Reported-by: Dan Rosenberg <drosenberg@vsecurity.com> Signed-off-by: Xi Wang <xi.wang@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
This commit is contained in:
Родитель
fee6433bdd
Коммит
2a58b19fd9
|
@ -300,6 +300,10 @@ int private_ioctl(PSDevice pDevice, struct ifreq *rq)
|
|||
result = -EFAULT;
|
||||
break;
|
||||
}
|
||||
if (sList.uItem > (ULONG_MAX - sizeof(SBSSIDList)) / sizeof(SBSSIDItem)) {
|
||||
result = -EINVAL;
|
||||
break;
|
||||
}
|
||||
pList = (PSBSSIDList)kmalloc(sizeof(SBSSIDList) + (sList.uItem * sizeof(SBSSIDItem)), (int)GFP_ATOMIC);
|
||||
if (pList == NULL) {
|
||||
result = -ENOMEM;
|
||||
|
@ -571,6 +575,10 @@ int private_ioctl(PSDevice pDevice, struct ifreq *rq)
|
|||
result = -EFAULT;
|
||||
break;
|
||||
}
|
||||
if (sNodeList.uItem > (ULONG_MAX - sizeof(SNodeList)) / sizeof(SNodeItem)) {
|
||||
result = -EINVAL;
|
||||
break;
|
||||
}
|
||||
pNodeList = (PSNodeList)kmalloc(sizeof(SNodeList) + (sNodeList.uItem * sizeof(SNodeItem)), (int)GFP_ATOMIC);
|
||||
if (pNodeList == NULL) {
|
||||
result = -ENOMEM;
|
||||
|
|
Загрузка…
Ссылка в новой задаче