summaryrefslogtreecommitdiffstats
path: root/drivers
diff options
context:
space:
mode:
authorWenliang Fan <fanwlexca@gmail.com>2013-12-17 11:25:28 +0800
committerDavid S. Miller <davem@davemloft.net>2013-12-19 15:02:14 -0500
commite9db5c21d3646a6454fcd04938dd215ac3ab620a (patch)
tree52bc7616461aff96f0a889317b2861ec8d301eab /drivers
parent0c8d087c04cdcef501064552149289866e53aa6c (diff)
downloadop-kernel-dev-e9db5c21d3646a6454fcd04938dd215ac3ab620a.zip
op-kernel-dev-e9db5c21d3646a6454fcd04938dd215ac3ab620a.tar.gz
drivers/net/hamradio: Integer overflow in hdlcdrv_ioctl()
The local variable 'bi' comes from userspace. If userspace passed a large number to 'bi.data.calibrate', there would be an integer overflow in the following line: s->hdlctx.calibrate = bi.data.calibrate * s->par.bitrate / 16; Signed-off-by: Wenliang Fan <fanwlexca@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'drivers')
-rw-r--r--drivers/net/hamradio/hdlcdrv.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/drivers/net/hamradio/hdlcdrv.c b/drivers/net/hamradio/hdlcdrv.c
index 3169252..5d78c1d 100644
--- a/drivers/net/hamradio/hdlcdrv.c
+++ b/drivers/net/hamradio/hdlcdrv.c
@@ -571,6 +571,8 @@ static int hdlcdrv_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
case HDLCDRVCTL_CALIBRATE:
if(!capable(CAP_SYS_RAWIO))
return -EPERM;
+ if (bi.data.calibrate > INT_MAX / s->par.bitrate)
+ return -EINVAL;
s->hdlctx.calibrate = bi.data.calibrate * s->par.bitrate / 16;
return 0;
OpenPOWER on IntegriCloud