diff options
author | Wenliang Fan <fanwlexca@gmail.com> | 2013-12-17 11:25:28 +0800 |
---|---|---|
committer | Stefan Bader <stefan.bader@canonical.com> | 2014-05-20 16:35:06 +0200 |
commit | 58a1a81d023dc80ccf0917934f9d5321c0e56f97 (patch) | |
tree | 73213767815517b49007cfe59e6ea389811c31bd | |
parent | a57cf07273bd2311c0ab0e3a72409bd877366a06 (diff) | |
download | linux-2.6.32.y-drm33.z-58a1a81d023dc80ccf0917934f9d5321c0e56f97.tar.gz |
drivers/net/hamradio: Integer overflow in hdlcdrv_ioctl()
[ Upstream commit e9db5c21d3646a6454fcd04938dd215ac3ab620a ]
The local variable 'bi' comes from userspace. If userspace passed a
large number to 'bi.data.calibrate', there would be an integer overflow
in the following line:
s->hdlctx.calibrate = bi.data.calibrate * s->par.bitrate / 16;
Signed-off-by: Wenliang Fan <fanwlexca@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Willy Tarreau <w@1wt.eu>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
-rw-r--r-- | drivers/net/hamradio/hdlcdrv.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/drivers/net/hamradio/hdlcdrv.c b/drivers/net/hamradio/hdlcdrv.c index 91c5790c9581d..c1b265d7d6da8 100644 --- a/drivers/net/hamradio/hdlcdrv.c +++ b/drivers/net/hamradio/hdlcdrv.c @@ -572,6 +572,8 @@ static int hdlcdrv_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd) case HDLCDRVCTL_CALIBRATE: if(!capable(CAP_SYS_RAWIO)) return -EPERM; + if (bi.data.calibrate > INT_MAX / s->par.bitrate) + return -EINVAL; s->hdlctx.calibrate = bi.data.calibrate * s->par.bitrate / 16; return 0; |