From: Vasiliy Kulikov <segoon@openwall.com>
To: "Dan Carpenter" <error27@gmail.com>,
kernel-janitors@vger.kernel.org,
"Mauro Carvalho Chehab" <mchehab@infradead.org>,
"David Härdeman" <david@hardeman.nu>,
"Jarod Wilson" <jarod@redhat.com>,
linux-media@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH v2] media: rc: ir-lirc-codec: fix integer overflow
Date: Sat, 04 Dec 2010 21:05:22 +0000 [thread overview]
Message-ID: <20101204210522.GA5244@albatros> (raw)
In-Reply-To: <20101202045126.GA1784@bicker>
'n' may be bigger than MAX_INT*sizeof(int), if so checking of truncated
(int)(n/sizeof(int)) for LIRCBUF_SIZE overflows and then using nontruncated 'count'
doesn't make sense. This is not a security issue as too big 'n' is catched in
kmalloc() in memdup_user() call. However, it's better to prevent WARN() in kmalloc().
Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
---
Compile tested only.
drivers/media/rc/ir-lirc-codec.c | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/drivers/media/rc/ir-lirc-codec.c b/drivers/media/rc/ir-lirc-codec.c
index 1e87ee8..a7e91e6 100644
--- a/drivers/media/rc/ir-lirc-codec.c
+++ b/drivers/media/rc/ir-lirc-codec.c
@@ -100,7 +100,8 @@ static ssize_t ir_lirc_transmit_ir(struct file *file, const char *buf,
struct lirc_codec *lirc;
struct rc_dev *dev;
int *txbuf; /* buffer with values to transmit */
- int ret = 0, count;
+ int ret = 0;
+ size_t count;
lirc = lirc_get_pdata(file);
if (!lirc)
--
1.7.0.4
WARNING: multiple messages have this Message-ID (diff)
From: Vasiliy Kulikov <segoon@openwall.com>
To: "Dan Carpenter" <error27@gmail.com>,
kernel-janitors@vger.kernel.org,
"Mauro Carvalho Chehab" <mchehab@infradead.org>,
"David Härdeman" <david@hardeman.nu>,
"Jarod Wilson" <jarod@redhat.com>,
linux-media@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH v2] media: rc: ir-lirc-codec: fix integer overflow
Date: Sun, 5 Dec 2010 00:05:22 +0300 [thread overview]
Message-ID: <20101204210522.GA5244@albatros> (raw)
In-Reply-To: <20101202045126.GA1784@bicker>
'n' may be bigger than MAX_INT*sizeof(int), if so checking of truncated
(int)(n/sizeof(int)) for LIRCBUF_SIZE overflows and then using nontruncated 'count'
doesn't make sense. This is not a security issue as too big 'n' is catched in
kmalloc() in memdup_user() call. However, it's better to prevent WARN() in kmalloc().
Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
---
Compile tested only.
drivers/media/rc/ir-lirc-codec.c | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/drivers/media/rc/ir-lirc-codec.c b/drivers/media/rc/ir-lirc-codec.c
index 1e87ee8..a7e91e6 100644
--- a/drivers/media/rc/ir-lirc-codec.c
+++ b/drivers/media/rc/ir-lirc-codec.c
@@ -100,7 +100,8 @@ static ssize_t ir_lirc_transmit_ir(struct file *file, const char *buf,
struct lirc_codec *lirc;
struct rc_dev *dev;
int *txbuf; /* buffer with values to transmit */
- int ret = 0, count;
+ int ret = 0;
+ size_t count;
lirc = lirc_get_pdata(file);
if (!lirc)
--
1.7.0.4
next prev parent reply other threads:[~2010-12-04 21:05 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-11-26 17:06 [PATCH] media: rc: ir-lirc-codec: fix potential integer overflow Vasiliy Kulikov
2010-11-26 17:06 ` Vasiliy Kulikov
2010-12-02 2:47 ` Jarod Wilson
2010-12-02 2:47 ` Jarod Wilson
2010-12-02 4:51 ` [PATCH] media: rc: ir-lirc-codec: fix potential integer Dan Carpenter
2010-12-02 4:51 ` [PATCH] media: rc: ir-lirc-codec: fix potential integer overflow Dan Carpenter
2010-12-02 15:00 ` Jarod Wilson
2010-12-02 15:00 ` Jarod Wilson
2010-12-02 18:55 ` Jarod Wilson
2010-12-02 18:55 ` Jarod Wilson
2010-12-04 21:05 ` Vasiliy Kulikov [this message]
2010-12-04 21:05 ` [PATCH v2] media: rc: ir-lirc-codec: fix " Vasiliy Kulikov
2010-12-08 16:15 ` Jarod Wilson
2010-12-08 16:15 ` Jarod Wilson
2010-12-02 21:08 ` [PATCH] media: rc: ir-lirc-codec: fix potential integer Andy Walls
2010-12-02 21:08 ` [PATCH] media: rc: ir-lirc-codec: fix potential integer overflow Andy Walls
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20101204210522.GA5244@albatros \
--to=segoon@openwall.com \
--cc=david@hardeman.nu \
--cc=error27@gmail.com \
--cc=jarod@redhat.com \
--cc=kernel-janitors@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=mchehab@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.