Project

General

Profile

Feature #2771

Updated by Vladimir Gratinskiy over 12 years ago

Somebody can pass negative values as a number of bytes to be copied from user. But copy_from_user() (and some similar functions) copy_from_user expects unsigned long int value, so negative values will lead to integer underflow. This issue belongs to _specific:check_params_, but also can be treated as _generic:int_overflow_. Commit 064368f of linux-stable represents the issue. Model 111_1a will take care on it. 
 And in additional 111_1a check if number of bytes is less than buffer's size.

Back