[net,v2,2/3] net/packet: fix overflow in check for tp_frame_nr

Submitted by Andrey Konovalov on March 29, 2017, 2:11 p.m.

Details

Message ID b6e4098bf0d0bccc538e133ce5200432be8c4732.1490796500.git.andreyknvl@google.com
State Accepted
Delegated to: David Miller
Headers show

Commit Message

Andrey Konovalov March 29, 2017, 2:11 p.m.
When calculating rb->frames_per_block * req->tp_block_nr the result
can overflow.

Add a check that tp_block_size * tp_block_nr <= UINT_MAX.

Since frames_per_block <= tp_block_size, the expression would
never overflow.

Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
---
 net/packet/af_packet.c | 2 ++
 1 file changed, 2 insertions(+)

Comments

Eric Dumazet March 29, 2017, 3:51 p.m.
On Wed, 2017-03-29 at 16:11 +0200, Andrey Konovalov wrote:
> When calculating rb->frames_per_block * req->tp_block_nr the result
> can overflow.
> 
> Add a check that tp_block_size * tp_block_nr <= UINT_MAX.
> 
> Since frames_per_block <= tp_block_size, the expression would
> never overflow.
> 
> Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
> ---

Acked-by: Eric Dumazet <edumazet@google.com>

Patch hide | download patch | download mbox

diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index 2323ee35dc09..3ac286ebb2f4 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -4205,6 +4205,8 @@  static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
 		rb->frames_per_block = req->tp_block_size / req->tp_frame_size;
 		if (unlikely(rb->frames_per_block == 0))
 			goto out;
+		if (unlikely(req->tp_block_size > UINT_MAX / req->tp_block_nr))
+			goto out;
 		if (unlikely((rb->frames_per_block * req->tp_block_nr) !=
 					req->tp_frame_nr))
 			goto out;