From patchwork Thu Jul 17 10:50:45 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dan Carpenter X-Patchwork-Id: 371063 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 0AF4C140090 for ; Thu, 17 Jul 2014 20:51:26 +1000 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1757012AbaGQKvV (ORCPT ); Thu, 17 Jul 2014 06:51:21 -0400 Received: from userp1040.oracle.com ([156.151.31.81]:51889 "EHLO userp1040.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1756856AbaGQKvU (ORCPT ); Thu, 17 Jul 2014 06:51:20 -0400 Received: from acsinet21.oracle.com (acsinet21.oracle.com [141.146.126.237]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id s6HApDfE015565 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 17 Jul 2014 10:51:14 GMT Received: from userz7022.oracle.com (userz7022.oracle.com [156.151.31.86]) by acsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id s6HApBW7016194 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 17 Jul 2014 10:51:12 GMT Received: from abhmp0011.oracle.com (abhmp0011.oracle.com [141.146.116.17]) by userz7022.oracle.com (8.14.5+Sun/8.14.4) with ESMTP id s6HAp8gS002556; Thu, 17 Jul 2014 10:51:09 GMT Received: from mwanda (/41.202.233.185) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Thu, 17 Jul 2014 03:51:07 -0700 Date: Thu, 17 Jul 2014 13:50:45 +0300 From: Dan Carpenter To: "David S. Miller" Cc: Tom Gundersen , David Herrmann , netdev@vger.kernel.org, Eric Dumazet , David Laight , kernel-janitors@vger.kernel.org Subject: [patch v2] wan/x25_asy: integer overflow in x25_asy_change_mtu() Message-ID: <20140717105044.GA28140@mwanda> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <1405588471.10255.70.camel@edumazet-glaptop2.roam.corp.google.com> User-Agent: Mutt/1.5.21 (2010-09-15) X-Source-IP: acsinet21.oracle.com [141.146.126.237] Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org If "newmtu * 2 + 4" is too large then it can cause an integer overflow leading to memory corruption. Eric Dumazet suggests that 65534 is a reasonable upper limit. Btw, "newmtu" is not allowed to be a negative number because of the check in dev_set_mtu(), so that's ok. Signed-off-by: Dan Carpenter --- v2: Cap it at 65534 instead of just testing for integer overflows. Thanks David and Eric! -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/drivers/net/wan/x25_asy.c b/drivers/net/wan/x25_asy.c index df6c073..5c47b01 100644 --- a/drivers/net/wan/x25_asy.c +++ b/drivers/net/wan/x25_asy.c @@ -122,8 +122,12 @@ static int x25_asy_change_mtu(struct net_device *dev, int newmtu) { struct x25_asy *sl = netdev_priv(dev); unsigned char *xbuff, *rbuff; - int len = 2 * newmtu; + int len; + if (newmtu > 65534) + return -EINVAL; + + len = 2 * newmtu; xbuff = kmalloc(len + 4, GFP_ATOMIC); rbuff = kmalloc(len + 4, GFP_ATOMIC);