[PATCH] SCSI: aacraid: potential integer overflow in aac_get_containers()

From: Haogang Chen
Date: Wed Nov 30 2011 - 21:31:09 EST

Next message: Marcos Paulo de Souza: "[PATCH 3/4] staging: vt6656: datarate.c: Remove unneeded comments"
Previous message: Marcos Paulo de Souza: "[PATCH 2/4] staging: vt6656: control.c: Remove dead code"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

There is a potential integer overflow in aac_get_containers(). When
maximum_num_containers is large, the subsequent call to kzalloc() will
allocate a buffer smaller than expected, which leads to memory
corruption in the for loop.

The patch replaces kzalloc with kcalloc.

Signed-off-by: Haogang Chen <haogangchen@xxxxxxxxx>
---
drivers/scsi/aacraid/aachba.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/drivers/scsi/aacraid/aachba.c b/drivers/scsi/aacraid/aachba.c
index 409f580..440b84d 100644
--- a/drivers/scsi/aacraid/aachba.c
+++ b/drivers/scsi/aacraid/aachba.c
@@ -381,7 +381,7 @@ int aac_get_containers(struct aac_dev *dev)

if (maximum_num_containers < MAXIMUM_NUM_CONTAINERS)
maximum_num_containers = MAXIMUM_NUM_CONTAINERS;
- fsa_dev_ptr = kzalloc(sizeof(*fsa_dev_ptr) * maximum_num_containers,
+ fsa_dev_ptr = kcalloc(maximum_num_containers, sizeof(*fsa_dev_ptr),
GFP_KERNEL);
if (!fsa_dev_ptr)
return -ENOMEM;
--
1.7.5.4

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Marcos Paulo de Souza: "[PATCH 3/4] staging: vt6656: datarate.c: Remove unneeded comments"
Previous message: Marcos Paulo de Souza: "[PATCH 2/4] staging: vt6656: control.c: Remove dead code"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]