diff options
author | Dan Carpenter <error27@gmail.com> | 2011-03-03 17:56:06 +0100 |
---|---|---|
committer | Martin Schwidefsky <sky@mschwide.boeblingen.de.ibm.com> | 2011-03-03 17:56:14 +0100 |
commit | b652277b09d3d030cb074cc6a98ba80b34244c03 (patch) | |
tree | 3e83ec35774580a151fa7e59ec32f7c5786c689c /drivers/s390 | |
parent | 0c0db0355bc070b4c623622248d3f577642536b9 (diff) | |
download | linux-b652277b09d3d030cb074cc6a98ba80b34244c03.tar.gz linux-b652277b09d3d030cb074cc6a98ba80b34244c03.tar.bz2 linux-b652277b09d3d030cb074cc6a98ba80b34244c03.zip |
[S390] keyboard: integer underflow bug
The "ct" variable should be an unsigned int. Both struct kbdiacrs
->kb_cnt and struct kbd_data ->accent_table_size are unsigned ints.
Making it signed causes a problem in KBDIACRUC because the user could
set the signed bit and cause a buffer overflow.
Cc: <stable@kernel.org>
Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Diffstat (limited to 'drivers/s390')
-rw-r--r-- | drivers/s390/char/keyboard.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/drivers/s390/char/keyboard.c b/drivers/s390/char/keyboard.c index 8cd58e412b5e..5ad44daef73b 100644 --- a/drivers/s390/char/keyboard.c +++ b/drivers/s390/char/keyboard.c @@ -460,7 +460,8 @@ kbd_ioctl(struct kbd_data *kbd, struct file *file, unsigned int cmd, unsigned long arg) { void __user *argp; - int ct, perm; + unsigned int ct; + int perm; argp = (void __user *)arg; |