char: Int overflow in lp_do_ioctl(). · 1c2de820d6 - Gogs: Go Git Service GfA electronic

char: Int overflow in lp_do_ioctl().

arg comes from user-space, so int overflow may occur:
	LP_TIME(minor) = arg * HZ/100;

Reported-by: Yongjian Xu <xuyongjiande@gmail.com>
Suggested-by: Qixue Xiao <s2exqx@gmail.com>
Signed-off-by: Yu Chen <chyyuu@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Yongjian Xu 11 years ago

parent

138a6d7ea2

commit

1c2de820d6

1 changed files with 2 additions and 0 deletions

Split View Show Diff Stats

						
							+ 2
							
							- 0
						
drivers/char/lp.c
							 
								View File
							
				@@ -587,6 +587,8 @@ static int lp_do_ioctl(unsigned int minor, unsigned int cmd,
			
				 		return -ENODEV;
			
				 	switch ( cmd ) {
			
				 		case LPTIME:
			
				+			if (arg > UINT_MAX / HZ)
			
				+				return -EINVAL;
			
				 			LP_TIME(minor) = arg * HZ/100;
			
				 			break;
			
				 		case LPCHAR: