[net,v2,3/3] net/packet: fix overflow in check for tp_reserve

Submitted by Andrey Konovalov on March 29, 2017, 2:11 p.m.

Details

Message ID b6e7f64aa4f58db0c879510e86196534e472f857.1490796500.git.andreyknvl@google.com
State Accepted
Delegated to: David Miller
Headers show

Commit Message

Andrey Konovalov March 29, 2017, 2:11 p.m.
When calculating po->tp_hdrlen + po->tp_reserve the result can overflow.

Fix by checking that tp_reserve <= INT_MAX on assign.

Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
---
 net/packet/af_packet.c | 2 ++
 1 file changed, 2 insertions(+)

Comments

Eric Dumazet March 29, 2017, 3:51 p.m.
On Wed, 2017-03-29 at 16:11 +0200, Andrey Konovalov wrote:
> When calculating po->tp_hdrlen + po->tp_reserve the result can overflow.
> 
> Fix by checking that tp_reserve <= INT_MAX on assign.
> 
> Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
> ---

Acked-by: Eric Dumazet <edumazet@google.com>

Thanks !

Patch hide | download patch | download mbox

diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index 3ac286ebb2f4..8489beff5c25 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -3665,6 +3665,8 @@  packet_setsockopt(struct socket *sock, int level, int optname, char __user *optv
 			return -EBUSY;
 		if (copy_from_user(&val, optval, sizeof(val)))
 			return -EFAULT;
+		if (val > INT_MAX)
+			return -EINVAL;
 		po->tp_reserve = val;
 		return 0;
 	}