From faec8ab42b4a0f119a1cfbceef0c14b7b61059cb Mon Sep 17 00:00:00 2001 From: Dan Carpenter Date: Wed, 1 Apr 2015 11:12:15 +0300 Subject: [PATCH] Staging: lustre: integer overflow in ioctl hdr->ioc_len is a user controlled u32 so the addition can overflow, especially on 32 bit systems. Signed-off-by: Dan Carpenter Signed-off-by: Greg Kroah-Hartman --- drivers/staging/lustre/lustre/libcfs/linux/linux-module.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/staging/lustre/lustre/libcfs/linux/linux-module.c b/drivers/staging/lustre/lustre/libcfs/linux/linux-module.c index a5effcd..e962f89 100644 --- a/drivers/staging/lustre/lustre/libcfs/linux/linux-module.c +++ b/drivers/staging/lustre/lustre/libcfs/linux/linux-module.c @@ -57,7 +57,7 @@ int libcfs_ioctl_getdata(char *buf, char *end, void *arg) return -EINVAL; } - if (hdr->ioc_len + buf >= end) { + if (hdr->ioc_len >= end - buf) { CERROR("PORTALS: user buffer exceeds kernel buffer\n"); return -EINVAL; } -- 2.7.4