Staging: comedi: fix integer overflow in do_insnlist_ioctl()

There is a potential integer overflow in do_insnlist_ioctl() if
userspace passes in a large insnlist.n_insns.  The call to kmalloc()
would allocate a small buffer, leading to a memory corruption.

The bug was reported by Dan Carpenter <[email protected]>
and Haogang Chen <[email protected]>.  The patch was suggested by
Ian Abbott <[email protected]> and Lars-Peter Clausen <[email protected]>.

Reported-by: Dan Carpenter <[email protected]>
Reported-by: Haogang Chen <[email protected]>.
Cc: Ian Abbott <[email protected]>
Cc: Lars-Peter Clausen <[email protected]>
Signed-off-by: Xi Wang <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

0 files changed, 0 insertions, 0 deletions