mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-09-16 07:35:14 +00:00
drivers/net/hamradio: Integer overflow in hdlcdrv_ioctl()
The local variable 'bi' comes from userspace. If userspace passed a large number to 'bi.data.calibrate', there would be an integer overflow in the following line: s->hdlctx.calibrate = bi.data.calibrate * s->par.bitrate / 16; Signed-off-by: Wenliang Fan <fanwlexca@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
parent
0c8d087c04
commit
e9db5c21d3
1 changed files with 2 additions and 0 deletions
|
@ -571,6 +571,8 @@ static int hdlcdrv_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
|
||||||
case HDLCDRVCTL_CALIBRATE:
|
case HDLCDRVCTL_CALIBRATE:
|
||||||
if(!capable(CAP_SYS_RAWIO))
|
if(!capable(CAP_SYS_RAWIO))
|
||||||
return -EPERM;
|
return -EPERM;
|
||||||
|
if (bi.data.calibrate > INT_MAX / s->par.bitrate)
|
||||||
|
return -EINVAL;
|
||||||
s->hdlctx.calibrate = bi.data.calibrate * s->par.bitrate / 16;
|
s->hdlctx.calibrate = bi.data.calibrate * s->par.bitrate / 16;
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue