From 6a84e6dfb2238ed921097cb5a6fcd618287caa45 Mon Sep 17 00:00:00 2001
From: Xi Wang <xi.wang@gmail.com>
Date: Tue, 29 Nov 2011 21:52:46 -0500
Subject: [PATCH] --- yaml --- r: 281181 b: refs/heads/master c:
 2a58b19fd97c7368c03c027419a2aeb26313adad h: refs/heads/master i:   281179:
 f5d9a93fd80eec46d26aad53045ad888e6557a5b v: v3

---
 [refs]                               | 2 +-
 trunk/drivers/staging/vt6655/ioctl.c | 8 ++++++++
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/[refs] b/[refs]
index e73cd142719d..31054b869be5 100644
--- a/[refs]
+++ b/[refs]
@@ -1,2 +1,2 @@
 ---
-refs/heads/master: fee6433bdd1a4ab403a79069eda9a38da9903243
+refs/heads/master: 2a58b19fd97c7368c03c027419a2aeb26313adad
diff --git a/trunk/drivers/staging/vt6655/ioctl.c b/trunk/drivers/staging/vt6655/ioctl.c
index 432a20993c6e..7fd5cc5a55f6 100644
--- a/trunk/drivers/staging/vt6655/ioctl.c
+++ b/trunk/drivers/staging/vt6655/ioctl.c
@@ -300,6 +300,10 @@ int private_ioctl(PSDevice pDevice, struct ifreq *rq)
 			result = -EFAULT;
 			break;
 		}
+		if (sList.uItem > (ULONG_MAX - sizeof(SBSSIDList)) / sizeof(SBSSIDItem)) {
+			result = -EINVAL;
+			break;
+		}
 		pList = (PSBSSIDList)kmalloc(sizeof(SBSSIDList) + (sList.uItem * sizeof(SBSSIDItem)), (int)GFP_ATOMIC);
 		if (pList == NULL) {
 			result = -ENOMEM;
@@ -571,6 +575,10 @@ int private_ioctl(PSDevice pDevice, struct ifreq *rq)
 			result = -EFAULT;
 			break;
 		}
+		if (sNodeList.uItem > (ULONG_MAX - sizeof(SNodeList)) / sizeof(SNodeItem)) {
+			result = -EINVAL;
+			break;
+		}
 		pNodeList = (PSNodeList)kmalloc(sizeof(SNodeList) + (sNodeList.uItem * sizeof(SNodeItem)), (int)GFP_ATOMIC);
 		if (pNodeList == NULL) {
 			result = -ENOMEM;