drivers/net/hamradio: Integer overflow in hdlcdrv_ioctl()

[ Upstream commit e9db5c21d3646a6454fcd04938dd215ac3ab620a ] The local variable 'bi' comes from userspace. If userspace passed a large number to 'bi.data.calibrate', there would be an integer overflow in the following line: s->hdlctx.calibrate = bi.data.calibrate * s->par.bitrate / 16; Signed-off-by: Wenliang Fan <fanwlexca@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Willy Tarreau <w@1wt.eu> Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
author: Wenliang Fan <fanwlexca@gmail.com> 2013-12-17 11:25:28 +0800
committer: Stefan Bader <stefan.bader@canonical.com> 2014-05-20 16:35:06 +0200
commit: 58a1a81d023dc80ccf0917934f9d5321c0e56f97 (patch)
tree: 73213767815517b49007cfe59e6ea389811c31bd
parent: a57cf07273bd2311c0ab0e3a72409bd877366a06 (diff)
download: linux-2.6.32.y-drm33.z-58a1a81d023dc80ccf0917934f9d5321c0e56f97.tar.gz
1 files changed, 2 insertions, 0 deletions
diff --git a/drivers/net/hamradio/hdlcdrv.c b/drivers/net/hamradio/hdlcdrv.c
index 91c5790c9581d..c1b265d7d6da8 100644
--- a/drivers/net/hamradio/hdlcdrv.c
+++ b/drivers/net/hamradio/hdlcdrv.c
@@ -572,6 +572,8 @@ static int hdlcdrv_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
 	case HDLCDRVCTL_CALIBRATE:
 		if(!capable(CAP_SYS_RAWIO))
 			return -EPERM;
+		if (bi.data.calibrate > INT_MAX / s->par.bitrate)
+			return -EINVAL;
 		s->hdlctx.calibrate = bi.data.calibrate * s->par.bitrate / 16;
 		return 0;
author	Wenliang Fan <fanwlexca@gmail.com>	2013-12-17 11:25:28 +0800
committer	Stefan Bader <stefan.bader@canonical.com>	2014-05-20 16:35:06 +0200
commit	58a1a81d023dc80ccf0917934f9d5321c0e56f97 (patch)
tree	73213767815517b49007cfe59e6ea389811c31bd
parent	a57cf07273bd2311c0ab0e3a72409bd877366a06 (diff)
download	linux-2.6.32.y-drm33.z-58a1a81d023dc80ccf0917934f9d5321c0e56f97.tar.gz