diff options
author | Dan Carpenter <error27@gmail.com> | 2011-03-03 17:56:06 +0100 |
---|---|---|
committer | AK <andi@firstfloor.org> | 2011-03-31 11:58:19 -0700 |
commit | 4e6c91302a8e7073d69adca8100a1f7361050f6f (patch) | |
tree | f6e8a2f28b187e51673cca3526e40407207ed6ff /drivers | |
parent | ed0afb9880641cc6a22a46b75fcaca67728ce41b (diff) |
keyboard: integer underflow bug
commit b652277b09d3d030cb074cc6a98ba80b34244c03 upstream.
The "ct" variable should be an unsigned int. Both struct kbdiacrs
->kb_cnt and struct kbd_data ->accent_table_size are unsigned ints.
Making it signed causes a problem in KBDIACRUC because the user could
set the signed bit and cause a buffer overflow.
Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Andi Kleen <ak@linux.intel.com>
Diffstat (limited to 'drivers')
-rw-r--r-- | drivers/s390/char/keyboard.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/drivers/s390/char/keyboard.c b/drivers/s390/char/keyboard.c index 18d9a497863b..9b93e4a7261f 100644 --- a/drivers/s390/char/keyboard.c +++ b/drivers/s390/char/keyboard.c @@ -460,7 +460,8 @@ kbd_ioctl(struct kbd_data *kbd, struct file *file, unsigned int cmd, unsigned long arg) { void __user *argp; - int ct, perm; + unsigned int ct; + int perm; argp = (void __user *)arg; |