diff options
| author | Dan Carpenter <error27@gmail.com> | 2011-03-03 17:56:06 +0100 |
|---|---|---|
| committer | Paul Gortmaker <paul.gortmaker@windriver.com> | 2011-06-26 12:46:56 -0400 |
| commit | 43f850c6e83638263098c8852761a07b3ed1c01e (patch) | |
| tree | eca48721d293dc0da08c8b9d97d11d6b68214dbf /drivers | |
| parent | e9dab809ef06d2be702cfe04a1d22436b5ef6f1f (diff) | |
| download | linux-stable-43f850c6e83638263098c8852761a07b3ed1c01e.tar.gz linux-stable-43f850c6e83638263098c8852761a07b3ed1c01e.tar.bz2 linux-stable-43f850c6e83638263098c8852761a07b3ed1c01e.zip | |
keyboard: integer underflow bug
commit b652277b09d3d030cb074cc6a98ba80b34244c03 upstream.
The "ct" variable should be an unsigned int. Both struct kbdiacrs
->kb_cnt and struct kbd_data ->accent_table_size are unsigned ints.
Making it signed causes a problem in KBDIACRUC because the user could
set the signed bit and cause a buffer overflow.
Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Diffstat (limited to 'drivers')
| -rw-r--r-- | drivers/s390/char/keyboard.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/drivers/s390/char/keyboard.c b/drivers/s390/char/keyboard.c index cb6bffe7141a..84d08f9cfe26 100644 --- a/drivers/s390/char/keyboard.c +++ b/drivers/s390/char/keyboard.c @@ -463,7 +463,8 @@ kbd_ioctl(struct kbd_data *kbd, struct file *file, unsigned int cmd, unsigned long arg) { void __user *argp; - int ct, perm; + unsigned int ct; + int perm; argp = (void __user *)arg; |