From: Xi Wang <xi.wang@gmail.com>
Date: Fri, 25 Nov 2011 21:46:51 +0000 (-0500)
Subject: Staging: comedi: fix integer overflow in do_insnlist_ioctl()
X-Git-Tag: v3.2-rc5~51^2
X-Git-Url: http://git.openpandora.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=dfd8ee92a9192d78aa38cf8699df3630a7c88c85;p=pandora-kernel.git

Staging: comedi: fix integer overflow in do_insnlist_ioctl()

There is a potential integer overflow in do_insnlist_ioctl() if
userspace passes in a large insnlist.n_insns.  The call to kmalloc()
would allocate a small buffer, leading to a memory corruption.

The bug was reported by Dan Carpenter <dan.carpenter@oracle.com>
and Haogang Chen <haogangchen@gmail.com>.  The patch was suggested by
Ian Abbott <abbotti@mev.co.uk> and Lars-Peter Clausen <lars@metafoo.de>.

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Reported-by: Haogang Chen <haogangchen@gmail.com>.
Cc: Ian Abbott <abbotti@mev.co.uk>
Cc: Lars-Peter Clausen <lars@metafoo.de>
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---

Reading git-diff-tree failed