Message ID | 20140717105044.GA28140@mwanda |
---|---|
State | Accepted, archived |
Delegated to: | David Miller |
Headers | show |
From: Dan Carpenter <dan.carpenter@oracle.com> Date: Thu, 17 Jul 2014 13:50:45 +0300 > If "newmtu * 2 + 4" is too large then it can cause an integer overflow > leading to memory corruption. Eric Dumazet suggests that 65534 is a > reasonable upper limit. > > Btw, "newmtu" is not allowed to be a negative number because of the > check in dev_set_mtu(), so that's ok. > > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > --- > v2: Cap it at 65534 instead of just testing for integer overflows. > Thanks David and Eric! Applied. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/drivers/net/wan/x25_asy.c b/drivers/net/wan/x25_asy.c index df6c073..5c47b01 100644 --- a/drivers/net/wan/x25_asy.c +++ b/drivers/net/wan/x25_asy.c @@ -122,8 +122,12 @@ static int x25_asy_change_mtu(struct net_device *dev, int newmtu) { struct x25_asy *sl = netdev_priv(dev); unsigned char *xbuff, *rbuff; - int len = 2 * newmtu; + int len; + if (newmtu > 65534) + return -EINVAL; + + len = 2 * newmtu; xbuff = kmalloc(len + 4, GFP_ATOMIC); rbuff = kmalloc(len + 4, GFP_ATOMIC);
If "newmtu * 2 + 4" is too large then it can cause an integer overflow leading to memory corruption. Eric Dumazet suggests that 65534 is a reasonable upper limit. Btw, "newmtu" is not allowed to be a negative number because of the check in dev_set_mtu(), so that's ok. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> --- v2: Cap it at 65534 instead of just testing for integer overflows. Thanks David and Eric! -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html