From: Tilman Schmidt <tilman@imap.cc>
Date: Sat, 11 Oct 2014 11:46:29 +0000 (+0200)
Subject: isdn/gigaset: limit raw CAPI message dump length
X-Git-Tag: v4.9.8~5486^2~54^2~9
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=097933ddcd28ef99c116651b20fd2e06717e0f0d;p=platform%2Fkernel%2Flinux-rpi3.git

isdn/gigaset: limit raw CAPI message dump length

In dump_rawmsg, the length field from a received data package was
used unscrutinized, allowing an attacker to control the size of the
allocated buffer and the number of times the output loop iterates.
Fix by limiting to a reasonable value.

Spotted with Coverity.

Signed-off-by: Tilman Schmidt <tilman@imap.cc>
Signed-off-by: David S. Miller <davem@davemloft.net>
---

diff --git a/drivers/isdn/gigaset/capi.c b/drivers/isdn/gigaset/capi.c
index 044392c..47e2a91 100644
--- a/drivers/isdn/gigaset/capi.c
+++ b/drivers/isdn/gigaset/capi.c
@@ -250,6 +250,8 @@ static inline void dump_rawmsg(enum debuglevel level, const char *tag,
 	l -= 12;
 	if (l <= 0)
 		return;
+	if (l > 64)
+		l = 64; /* arbitrary limit */
 	dbgline = kmalloc(3 * l, GFP_ATOMIC);
 	if (!dbgline)
 		return;