Kernel/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2025-01-06 13:16:22 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

keyboard: integer underflow bug

Browse Source 
commit b652277b09 upstream.

The "ct" variable should be an unsigned int.  Both struct kbdiacrs
->kb_cnt and struct kbd_data ->accent_table_size are unsigned ints.

Making it signed causes a problem in KBDIACRUC because the user could
set the signed bit and cause a buffer overflow.

Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
This commit is contained in:
Dan Carpenter 2011-03-03 17:56:06 +01:00 committed by Willy Tarreau
parent 0c5e0cbbc9
commit a88dfcc1c2
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
drivers/s390/char/keyboard.c
View File

@ -462,7 +462,8 @@ kbd_ioctl(struct kbd_data *kbd, struct file *file,
unsigned int cmd, unsigned long arg)
{
void __user *argp;
int ct, perm;
unsigned int ct;
int perm;
argp = (void __user *)arg;