Re: [PATCH] comedi: integer overflow in do_insnlist_ioctl()
From: Dan Carpenter
Date: Wed Nov 23 2011 - 09:51:41 EST
On Wed, Nov 23, 2011 at 08:59:52AM -0500, Xi Wang wrote:
> Thanks for the pointer. However you cannot do the overflow check using
>
> if (sizeof(struct comedi_insn) * insnlist.n_insns < insnlist.n_insns)
>
> Let's assume 32-bit system, sizeof(struct comedi_insn) = 32, and
> insnlist.n_insns = 0x7fffffff.
>
> Note that 32 * 0x7fffffff = 0xffffffe0 overflows but bypasses your check.
>
Argh... You're right, my check is wrong. What I like about my patch
though is that it doesn't introduce an arbitrary limit. Could you
redo your check without the MAX_INSNS?
regards,
dan carpenter
Attachment:
signature.asc
Description: Digital signature