keyboard: integer underflow bug

commit b652277b09d3d030cb074cc6a98ba80b34244c03 upstream. The "ct" variable should be an unsigned int. Both struct kbdiacrs ->kb_cnt and struct kbd_data ->accent_table_size are unsigned ints. Making it signed causes a problem in KBDIACRUC because the user could set the signed bit and cause a buffer overflow. Signed-off-by: Dan Carpenter <error27@gmail.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
author: Dan Carpenter <error27@gmail.com> 2011-03-03 17:56:06 +0100
committer: Greg Kroah-Hartman <gregkh@suse.de> 2011-03-14 14:29:53 -0700
commit: d5719ed81492a21fa0ba5b10ba366153f2b49fb3 (patch)
tree: 1c6a84f4c6687f56c1c8f2342f3c413669088dca
parent: cf666a4bfee9de4378566819081e9451a0fe6f1f (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/drivers/s390/char/keyboard.c b/drivers/s390/char/keyboard.c
index cee4d4e4242..1160fca4366 100644
--- a/drivers/s390/char/keyboard.c
+++ b/drivers/s390/char/keyboard.c
@@ -462,7 +462,8 @@ kbd_ioctl(struct kbd_data *kbd, struct file *file,
 	  unsigned int cmd, unsigned long arg)
 {
 	void __user *argp;
-	int ct, perm;
+	unsigned int ct;
+	int perm;
 
 	argp = (void __user *)arg;
author	Dan Carpenter <error27@gmail.com>	2011-03-03 17:56:06 +0100
committer	Greg Kroah-Hartman <gregkh@suse.de>	2011-03-14 14:29:53 -0700
commit	d5719ed81492a21fa0ba5b10ba366153f2b49fb3 (patch)
tree	1c6a84f4c6687f56c1c8f2342f3c413669088dca
parent	cf666a4bfee9de4378566819081e9451a0fe6f1f (diff)