Commit 2e453546 authored by Dan Carpenter's avatar Dan Carpenter Committed by Greg Kroah-Hartman

VMCI: integer overflow in vmci_datagram_dispatch()

This is untrusted user data from vmci_host_do_send_datagram() so the
VMCI_DG_SIZE() macro can have an integer overflow.
Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 95e838c9
...@@ -328,7 +328,8 @@ int vmci_datagram_dispatch(u32 context_id, ...@@ -328,7 +328,8 @@ int vmci_datagram_dispatch(u32 context_id,
BUILD_BUG_ON(sizeof(struct vmci_datagram) != 24); BUILD_BUG_ON(sizeof(struct vmci_datagram) != 24);
if (VMCI_DG_SIZE(dg) > VMCI_MAX_DG_SIZE) { if (dg->payload_size > VMCI_MAX_DG_SIZE ||
VMCI_DG_SIZE(dg) > VMCI_MAX_DG_SIZE) {
pr_devel("Payload (size=%llu bytes) too big to send\n", pr_devel("Payload (size=%llu bytes) too big to send\n",
(unsigned long long)dg->payload_size); (unsigned long long)dg->payload_size);
return VMCI_ERROR_INVALID_ARGS; return VMCI_ERROR_INVALID_ARGS;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment