Commit 2a58b19f authored by Xi Wang's avatar Xi Wang Committed by Greg Kroah-Hartman

staging: vt6655: integer overflows in private_ioctl()

There are two potential integer overflows in private_ioctl() if
userspace passes in a large sList.uItem / sNodeList.uItem.  The
subsequent call to kmalloc() would allocate a small buffer, leading
to a memory corruption.
Reported-by: default avatarDan Rosenberg <drosenberg@vsecurity.com>
Signed-off-by: default avatarXi Wang <xi.wang@gmail.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
parent fee6433b
...@@ -300,6 +300,10 @@ int private_ioctl(PSDevice pDevice, struct ifreq *rq) ...@@ -300,6 +300,10 @@ int private_ioctl(PSDevice pDevice, struct ifreq *rq)
result = -EFAULT; result = -EFAULT;
break; break;
} }
if (sList.uItem > (ULONG_MAX - sizeof(SBSSIDList)) / sizeof(SBSSIDItem)) {
result = -EINVAL;
break;
}
pList = (PSBSSIDList)kmalloc(sizeof(SBSSIDList) + (sList.uItem * sizeof(SBSSIDItem)), (int)GFP_ATOMIC); pList = (PSBSSIDList)kmalloc(sizeof(SBSSIDList) + (sList.uItem * sizeof(SBSSIDItem)), (int)GFP_ATOMIC);
if (pList == NULL) { if (pList == NULL) {
result = -ENOMEM; result = -ENOMEM;
...@@ -571,6 +575,10 @@ int private_ioctl(PSDevice pDevice, struct ifreq *rq) ...@@ -571,6 +575,10 @@ int private_ioctl(PSDevice pDevice, struct ifreq *rq)
result = -EFAULT; result = -EFAULT;
break; break;
} }
if (sNodeList.uItem > (ULONG_MAX - sizeof(SNodeList)) / sizeof(SNodeItem)) {
result = -EINVAL;
break;
}
pNodeList = (PSNodeList)kmalloc(sizeof(SNodeList) + (sNodeList.uItem * sizeof(SNodeItem)), (int)GFP_ATOMIC); pNodeList = (PSNodeList)kmalloc(sizeof(SNodeList) + (sNodeList.uItem * sizeof(SNodeItem)), (int)GFP_ATOMIC);
if (pNodeList == NULL) { if (pNodeList == NULL) {
result = -ENOMEM; result = -ENOMEM;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment