[patch 1/2] Staging: lustre: integer overflow in ioctl

All of lore.kernel.org
 help / color / mirror / Atom feed

* [patch 1/2] Staging: lustre: integer overflow in ioctl
@ 2015-04-01  8:12 Dan Carpenter
  0 siblings, 0 replies; only message in thread
From: Dan Carpenter @ 2015-04-01  8:12 UTC (permalink / raw)
  To: kernel-janitors

hdr->ioc_len is a user controlled u32 so the addition can overflow,
especially on 32 bit systems.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

diff --git a/drivers/staging/lustre/lustre/libcfs/linux/linux-module.c b/drivers/staging/lustre/lustre/libcfs/linux/linux-module.c
index a5effcd..e962f89 100644
--- a/drivers/staging/lustre/lustre/libcfs/linux/linux-module.c
+++ b/drivers/staging/lustre/lustre/libcfs/linux/linux-module.c
@@ -57,7 +57,7 @@ int libcfs_ioctl_getdata(char *buf, char *end, void *arg)
 		return -EINVAL;
 	}
 
-	if (hdr->ioc_len + buf >= end) {
+	if (hdr->ioc_len >= end - buf) {
 		CERROR("PORTALS: user buffer exceeds kernel buffer\n");
 		return -EINVAL;
 	}

^ permalink raw reply related	[flat|nested] only message in thread

only message in thread, other threads:[~2015-04-01  8:12 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-04-01  8:12 [patch 1/2] Staging: lustre: integer overflow in ioctl Dan Carpenter

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.