diff options
author | Dan Carpenter <dan.carpenter@oracle.com> | 2014-07-17 06:50:45 -0400 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2014-07-17 19:47:50 -0400 |
commit | a28d0e873d2899bd750ae495f84fe9c1a2f53809 (patch) | |
tree | c298871f2dfa4dc8f93e0f2928aa844b1cda20f1 /drivers/net/wan/x25_asy.c | |
parent | cc25eaae238ddd693aa5eaa73e565d8ff4915f6e (diff) |
wan/x25_asy: integer overflow in x25_asy_change_mtu()
If "newmtu * 2 + 4" is too large then it can cause an integer overflow
leading to memory corruption. Eric Dumazet suggests that 65534 is a
reasonable upper limit.
Btw, "newmtu" is not allowed to be a negative number because of the
check in dev_set_mtu(), so that's ok.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'drivers/net/wan/x25_asy.c')
-rw-r--r-- | drivers/net/wan/x25_asy.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/drivers/net/wan/x25_asy.c b/drivers/net/wan/x25_asy.c index 5895f1978691..fa9fdfa128c1 100644 --- a/drivers/net/wan/x25_asy.c +++ b/drivers/net/wan/x25_asy.c | |||
@@ -122,8 +122,12 @@ static int x25_asy_change_mtu(struct net_device *dev, int newmtu) | |||
122 | { | 122 | { |
123 | struct x25_asy *sl = netdev_priv(dev); | 123 | struct x25_asy *sl = netdev_priv(dev); |
124 | unsigned char *xbuff, *rbuff; | 124 | unsigned char *xbuff, *rbuff; |
125 | int len = 2 * newmtu; | 125 | int len; |
126 | 126 | ||
127 | if (newmtu > 65534) | ||
128 | return -EINVAL; | ||
129 | |||
130 | len = 2 * newmtu; | ||
127 | xbuff = kmalloc(len + 4, GFP_ATOMIC); | 131 | xbuff = kmalloc(len + 4, GFP_ATOMIC); |
128 | rbuff = kmalloc(len + 4, GFP_ATOMIC); | 132 | rbuff = kmalloc(len + 4, GFP_ATOMIC); |
129 | 133 | ||