From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Fri, 4 Nov 2011 18:20:43 +0000 (+0300)
Subject: Staging: comedi: integer overflow in do_insnlist_ioctl()
X-Git-Tag: v3.2-rc5~51^2~2
X-Git-Url: http://git.openpandora.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e384a41141949843899affcf51f4e6e646c1fe9f;p=pandora-kernel.git

Staging: comedi: integer overflow in do_insnlist_ioctl()

There is an integer overflow here that could cause memory corruption
on 32 bit systems.

insnlist.n_insns could be a very high value size calculation for
kmalloc() could overflow resulting in a smaller "insns" than
expected.  In the for (i = 0; i < insnlist.n_insns; i++) {... loop
we would read past the end of the buffer, possibly corrupting memory
as well.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---

Reading git-diff-tree failed