From 1c2de820d66d704c7d6fffdd872b7670eb4e29bb Mon Sep 17 00:00:00 2001 From: Yongjian Xu Date: Wed, 18 Dec 2013 15:45:12 +0800 Subject: char: Int overflow in lp_do_ioctl(). arg comes from user-space, so int overflow may occur: LP_TIME(minor) = arg * HZ/100; Reported-by: Yongjian Xu Suggested-by: Qixue Xiao Signed-off-by: Yu Chen Signed-off-by: Greg Kroah-Hartman --- drivers/char/lp.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'drivers/char') diff --git a/drivers/char/lp.c b/drivers/char/lp.c index 0913d79424d3..c4094c4e22c1 100644 --- a/drivers/char/lp.c +++ b/drivers/char/lp.c @@ -587,6 +587,8 @@ static int lp_do_ioctl(unsigned int minor, unsigned int cmd, return -ENODEV; switch ( cmd ) { case LPTIME: + if (arg > UINT_MAX / HZ) + return -EINVAL; LP_TIME(minor) = arg * HZ/100; break; case LPCHAR: -- cgit v1.2.1