Re: [PATCH] comedi: integer overflow in do_insnlist_ioctl()

From: Dan Carpenter
Date: Wed Nov 23 2011 - 09:51:41 EST

Next message: David Laight: "RE: [PATCH 1/2] ax25: integer overflows in ax25_setsockopt()"
Previous message: Serge E. Hallyn: "Re: [RFC] Make Yama pid_ns aware"
In reply to: Xi Wang: "Re: [PATCH] comedi: integer overflow in do_insnlist_ioctl()"
Next in thread: Ian Abbott: "Re: [PATCH] comedi: integer overflow in do_insnlist_ioctl()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Nov 23, 2011 at 08:59:52AM -0500, Xi Wang wrote:
> Thanks for the pointer. However you cannot do the overflow check using
>
> if (sizeof(struct comedi_insn) * insnlist.n_insns < insnlist.n_insns)
>
> Let's assume 32-bit system, sizeof(struct comedi_insn) = 32, and
> insnlist.n_insns = 0x7fffffff.
>
> Note that 32 * 0x7fffffff = 0xffffffe0 overflows but bypasses your check.
>

Argh... You're right, my check is wrong. What I like about my patch
though is that it doesn't introduce an arbitrary limit. Could you
redo your check without the MAX_INSNS?

regards,
dan carpenter

Attachment: signature.asc
Description: Digital signature

Next message: David Laight: "RE: [PATCH 1/2] ax25: integer overflows in ax25_setsockopt()"
Previous message: Serge E. Hallyn: "Re: [RFC] Make Yama pid_ns aware"
In reply to: Xi Wang: "Re: [PATCH] comedi: integer overflow in do_insnlist_ioctl()"
Next in thread: Ian Abbott: "Re: [PATCH] comedi: integer overflow in do_insnlist_ioctl()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]