char: Int overflow in lp_do_ioctl().

arg comes from user-space, so int overflow may occur: LP_TIME(minor) = arg * HZ/100; Reported-by: Yongjian Xu <xuyongjiande@gmail.com> Suggested-by: Qixue Xiao <s2exqx@gmail.com> Signed-off-by: Yu Chen <chyyuu@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
torvalds · Dec 19, 2013 · 1c2de82 · 1c2de82
1 parent 138a6d7
commit 1c2de82
Showing 1 changed file with 2 additions and 0 deletions.
diff --git a/drivers/char/lp.c b/drivers/char/lp.c
@@ -587,6 +587,8 @@ static int lp_do_ioctl(unsigned int minor, unsigned int cmd,
 		return -ENODEV;
 	switch ( cmd ) {
 		case LPTIME:
+			if (arg > UINT_MAX / HZ)
+				return -EINVAL;
 			LP_TIME(minor) = arg * HZ/100;
 			break;
 		case LPCHAR: