isdn/gigaset: limit raw CAPI message dump length

In dump_rawmsg, the length field from a received data package was used unscrutinized, allowing an attacker to control the size of the allocated buffer and the number of times the output loop iterates. Fix by limiting to a reasonable value. Spotted with Coverity. Signed-off-by: Tilman Schmidt <tilman@imap.cc> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Tilman Schmidt <tilman@imap.cc> 2014-10-11 13:46:29 +0200
committer: David S. Miller <davem@davemloft.net> 2014-10-14 15:05:33 -0400
commit: 097933ddcd28ef99c116651b20fd2e06717e0f0d (patch)
tree: daba40194d81bd13eb0689e3668bae0988137a8d /drivers/isdn
parent: ee7ff5fed25711a26da7826071e6ede8af049ad2 (diff)
download: op-kernel-dev-097933ddcd28ef99c116651b20fd2e06717e0f0d.zip
op-kernel-dev-097933ddcd28ef99c116651b20fd2e06717e0f0d.tar.gz
1 files changed, 2 insertions, 0 deletions
diff --git a/drivers/isdn/gigaset/capi.c b/drivers/isdn/gigaset/capi.c
index 044392c..47e2a91 100644
--- a/drivers/isdn/gigaset/capi.c
+++ b/drivers/isdn/gigaset/capi.c
@@ -250,6 +250,8 @@ static inline void dump_rawmsg(enum debuglevel level, const char *tag,
 	l -= 12;
 	if (l <= 0)
 		return;
+	if (l > 64)
+		l = 64; /* arbitrary limit */
 	dbgline = kmalloc(3 * l, GFP_ATOMIC);
 	if (!dbgline)
 		return;
author	Tilman Schmidt <tilman@imap.cc>	2014-10-11 13:46:29 +0200
committer	David S. Miller <davem@davemloft.net>	2014-10-14 15:05:33 -0400
commit	097933ddcd28ef99c116651b20fd2e06717e0f0d (patch)
tree	daba40194d81bd13eb0689e3668bae0988137a8d /drivers/isdn
parent	ee7ff5fed25711a26da7826071e6ede8af049ad2 (diff)
download	op-kernel-dev-097933ddcd28ef99c116651b20fd2e06717e0f0d.zip op-kernel-dev-097933ddcd28ef99c116651b20fd2e06717e0f0d.tar.gz