Commit e9db5c21 authored by Wenliang Fan's avatar Wenliang Fan Committed by David S. Miller

drivers/net/hamradio: Integer overflow in hdlcdrv_ioctl()

The local variable 'bi' comes from userspace. If userspace passed a
large number to 'bi.data.calibrate', there would be an integer overflow
in the following line:
	s->hdlctx.calibrate = bi.data.calibrate * s->par.bitrate / 16;
Signed-off-by: default avatarWenliang Fan <fanwlexca@gmail.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 0c8d087c
...@@ -571,6 +571,8 @@ static int hdlcdrv_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd) ...@@ -571,6 +571,8 @@ static int hdlcdrv_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
case HDLCDRVCTL_CALIBRATE: case HDLCDRVCTL_CALIBRATE:
if(!capable(CAP_SYS_RAWIO)) if(!capable(CAP_SYS_RAWIO))
return -EPERM; return -EPERM;
if (bi.data.calibrate > INT_MAX / s->par.bitrate)
return -EINVAL;
s->hdlctx.calibrate = bi.data.calibrate * s->par.bitrate / 16; s->hdlctx.calibrate = bi.data.calibrate * s->par.bitrate / 16;
return 0; return 0;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment