staging: vt6656: integer overflows in private_ioctl()
authorXi Wang <xi.wang@gmail.com>
Wed, 30 Nov 2011 02:53:46 +0000 (21:53 -0500)
committerGreg Kroah-Hartman <gregkh@suse.de>
Wed, 30 Nov 2011 10:29:40 +0000 (19:29 +0900)
There are two potential integer overflows in private_ioctl() if
userspace passes in a large sList.uItem / sNodeList.uItem.  The
subsequent call to kmalloc() would allocate a small buffer, leading
to a memory corruption.

Reported-by: Dan Rosenberg <drosenberg@vsecurity.com>
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
drivers/staging/vt6656/ioctl.c

index 49390026dea358e4d86c828a7077abffe0c31167..1463d76895f023fe339d3ea8cf3a67a16544706f 100644 (file)
@@ -295,6 +295,10 @@ int private_ioctl(PSDevice pDevice, struct ifreq *rq)
                        result = -EFAULT;
                        break;
                }
+               if (sList.uItem > (ULONG_MAX - sizeof(SBSSIDList)) / sizeof(SBSSIDItem)) {
+                       result = -EINVAL;
+                       break;
+               }
                pList = (PSBSSIDList)kmalloc(sizeof(SBSSIDList) + (sList.uItem * sizeof(SBSSIDItem)), (int)GFP_ATOMIC);
                if (pList == NULL) {
                        result = -ENOMEM;
@@ -557,6 +561,10 @@ int private_ioctl(PSDevice pDevice, struct ifreq *rq)
                        result = -EFAULT;
                        break;
                }
+               if (sNodeList.uItem > (ULONG_MAX - sizeof(SNodeList)) / sizeof(SNodeItem)) {
+                       result = -ENOMEM;
+                       break;
+               }
                pNodeList = (PSNodeList)kmalloc(sizeof(SNodeList) + (sNodeList.uItem * sizeof(SNodeItem)), (int)GFP_ATOMIC);
                if (pNodeList == NULL) {
                        result = -ENOMEM;