提交 e9db5c21 编写于 作者: W Wenliang Fan 提交者: David S. Miller

drivers/net/hamradio: Integer overflow in hdlcdrv_ioctl()

The local variable 'bi' comes from userspace. If userspace passed a
large number to 'bi.data.calibrate', there would be an integer overflow
in the following line:
	s->hdlctx.calibrate = bi.data.calibrate * s->par.bitrate / 16;
Signed-off-by: NWenliang Fan <fanwlexca@gmail.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>
上级 0c8d087c
...@@ -571,6 +571,8 @@ static int hdlcdrv_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd) ...@@ -571,6 +571,8 @@ static int hdlcdrv_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
case HDLCDRVCTL_CALIBRATE: case HDLCDRVCTL_CALIBRATE:
if(!capable(CAP_SYS_RAWIO)) if(!capable(CAP_SYS_RAWIO))
return -EPERM; return -EPERM;
if (bi.data.calibrate > INT_MAX / s->par.bitrate)
return -EINVAL;
s->hdlctx.calibrate = bi.data.calibrate * s->par.bitrate / 16; s->hdlctx.calibrate = bi.data.calibrate * s->par.bitrate / 16;
return 0; return 0;
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册