drivers/net/hamradio: Integer overflow in hdlcdrv_ioctl()
authorWenliang Fan <fanwlexca@gmail.com>
Tue, 17 Dec 2013 03:25:28 +0000 (11:25 +0800)
committerDavid S. Miller <davem@davemloft.net>
Thu, 19 Dec 2013 20:02:14 +0000 (15:02 -0500)
The local variable 'bi' comes from userspace. If userspace passed a
large number to 'bi.data.calibrate', there would be an integer overflow
in the following line:
s->hdlctx.calibrate = bi.data.calibrate * s->par.bitrate / 16;

Signed-off-by: Wenliang Fan <fanwlexca@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
drivers/net/hamradio/hdlcdrv.c

index 3169252..5d78c1d 100644 (file)
@@ -571,6 +571,8 @@ static int hdlcdrv_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
        case HDLCDRVCTL_CALIBRATE:
                if(!capable(CAP_SYS_RAWIO))
                        return -EPERM;
+               if (bi.data.calibrate > INT_MAX / s->par.bitrate)
+                       return -EINVAL;
                s->hdlctx.calibrate = bi.data.calibrate * s->par.bitrate / 16;
                return 0;