summaryrefslogtreecommitdiffstats
path: root/drivers/s390
diff options
context:
space:
mode:
authorDan Carpenter <error27@gmail.com>2011-03-03 17:56:06 +0100
committerMartin Schwidefsky <sky@mschwide.boeblingen.de.ibm.com>2011-03-03 17:56:14 +0100
commitb652277b09d3d030cb074cc6a98ba80b34244c03 (patch)
tree3e83ec35774580a151fa7e59ec32f7c5786c689c /drivers/s390
parent0c0db0355bc070b4c623622248d3f577642536b9 (diff)
downloadlinux-b652277b09d3d030cb074cc6a98ba80b34244c03.tar.gz
linux-b652277b09d3d030cb074cc6a98ba80b34244c03.tar.bz2
linux-b652277b09d3d030cb074cc6a98ba80b34244c03.zip
[S390] keyboard: integer underflow bug
The "ct" variable should be an unsigned int. Both struct kbdiacrs ->kb_cnt and struct kbd_data ->accent_table_size are unsigned ints. Making it signed causes a problem in KBDIACRUC because the user could set the signed bit and cause a buffer overflow. Cc: <stable@kernel.org> Signed-off-by: Dan Carpenter <error27@gmail.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Diffstat (limited to 'drivers/s390')
-rw-r--r--drivers/s390/char/keyboard.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/drivers/s390/char/keyboard.c b/drivers/s390/char/keyboard.c
index 8cd58e412b5e..5ad44daef73b 100644
--- a/drivers/s390/char/keyboard.c
+++ b/drivers/s390/char/keyboard.c
@@ -460,7 +460,8 @@ kbd_ioctl(struct kbd_data *kbd, struct file *file,
unsigned int cmd, unsigned long arg)
{
void __user *argp;
- int ct, perm;
+ unsigned int ct;
+ int perm;
argp = (void __user *)arg;