Commit 097933dd authored by Tilman Schmidt's avatar Tilman Schmidt Committed by David S. Miller

isdn/gigaset: limit raw CAPI message dump length

In dump_rawmsg, the length field from a received data package was
used unscrutinized, allowing an attacker to control the size of the
allocated buffer and the number of times the output loop iterates.
Fix by limiting to a reasonable value.

Spotted with Coverity.
Signed-off-by: default avatarTilman Schmidt <tilman@imap.cc>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent ee7ff5fe
...@@ -250,6 +250,8 @@ static inline void dump_rawmsg(enum debuglevel level, const char *tag, ...@@ -250,6 +250,8 @@ static inline void dump_rawmsg(enum debuglevel level, const char *tag,
l -= 12; l -= 12;
if (l <= 0) if (l <= 0)
return; return;
if (l > 64)
l = 64; /* arbitrary limit */
dbgline = kmalloc(3 * l, GFP_ATOMIC); dbgline = kmalloc(3 * l, GFP_ATOMIC);
if (!dbgline) if (!dbgline)
return; return;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment