isdn/gigaset: limit raw CAPI message dump length

In dump_rawmsg, the length field from a received data package was used unscrutinized, allowing an attacker to control the size of the allocated buffer and the number of times the output loop iterates. Fix by limiting to a reasonable value. Spotted with Coverity. Signed-off-by: Tilman Schmidt <tilman@imap.cc> Signed-off-by: David S. Miller <davem@davemloft.net>

isdn/gigaset: limit raw CAPI message dump length
In dump_rawmsg, the length field from a received data package was used unscrutinized, allowing an attacker to control the size of the allocated buffer and the number of times the output loop iterates. Fix by limiting to a reasonable value. Spotted with Coverity. Signed-off-by: Tilman Schmidt <tilman@imap.cc> Signed-off-by: David S. Miller <davem@davemloft.net>
097933dd · Tilman Schmidt · David S. Miller · ee7ff5fe · 097933dd
Commit 097933dd authored Oct 11, 2014 by Tilman Schmidt Committed by David S. Miller Oct 14, 2014
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 0 deletions

drivers/isdn/gigaset/capi.c drivers/isdn/gigaset/capi.c +2 -0

No files found.
--- a/drivers/isdn/gigaset/capi.c
+++ b/drivers/isdn/gigaset/capi.c
@@ -250,6 +250,8 @@ static inline void dump_rawmsg(enum debuglevel level, const char *tag,
 	l -= 12;
 	if (l <= 0)
 		return;
+	if (l > 64)
+		l = 64; /* arbitrary limit */
 	dbgline = kmalloc(3 * l, GFP_ATOMIC);
 	if (!dbgline)
 		return;