char: Int overflow in lp_do_ioctl().

arg comes from user-space, so int overflow may occur:
	LP_TIME(minor) = arg * HZ/100;

Reported-by: Yongjian Xu <xuyongjiande@gmail.com>
Suggested-by: Qixue Xiao <s2exqx@gmail.com>
Signed-off-by: Yu Chen <chyyuu@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/char/lp.c b/drivers/char/lp.c
index 0913d79..c4094c4 100644 (file)
--- a/drivers/char/lp.c
+++ b/drivers/char/lp.c
@@ -587,6 +587,8 @@ static int lp_do_ioctl(unsigned int minor, unsigned int cmd,
                return -ENODEV;
        switch ( cmd ) {
                case LPTIME:
+                       if (arg > UINT_MAX / HZ)
+                               return -EINVAL;
                        LP_TIME(minor) = arg * HZ/100;
                        break;
                case LPCHAR: