Skip to content

Commit

Permalink
[S390] keyboard: integer underflow bug
Browse files Browse the repository at this point in the history 
The "ct" variable should be an unsigned int.  Both struct kbdiacrs
->kb_cnt and struct kbd_data ->accent_table_size are unsigned ints.

Making it signed causes a problem in KBDIACRUC because the user could
set the signed bit and cause a buffer overflow.

Cc: <stable@kernel.org>
Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
  • Loading branch information
Dan Carpenter authored and Martin Schwidefsky committed Mar 3, 2011
1 parent 0c0db03 commit b652277
Showing 1 changed file with 2 additions and 1 deletion.
3 changes: 2 additions & 1 deletion drivers/s390/char/keyboard.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -460,7 +460,8 @@ kbd_ioctl(struct kbd_data *kbd, struct file *file,
unsigned int cmd, unsigned long arg)
{
void __user *argp;
int ct, perm;
unsigned int ct;
int perm;

argp = (void __user *)arg;

Expand Down

0 comments on commit b652277

Please sign in to comment.