[PATCH 3.10 23/62] drivers/net/hamradio: Integer overflow in hdlcdrv_ioctl()
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: 2014-01-14 00:27:59
Also in:
lkml
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: 2014-01-14 00:27:59
Also in:
lkml
3.10-stable review patch. If anyone has any objections, please let me know. ------------------ From: Wenliang Fan <redacted> [ Upstream commit e9db5c21d3646a6454fcd04938dd215ac3ab620a ] The local variable 'bi' comes from userspace. If userspace passed a large number to 'bi.data.calibrate', there would be an integer overflow in the following line: s->hdlctx.calibrate = bi.data.calibrate * s->par.bitrate / 16; Signed-off-by: Wenliang Fan <redacted> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> --- drivers/net/hamradio/hdlcdrv.c | 2 ++ 1 file changed, 2 insertions(+)
--- a/drivers/net/hamradio/hdlcdrv.c
+++ b/drivers/net/hamradio/hdlcdrv.c@@ -571,6 +571,8 @@ static int hdlcdrv_ioctl(struct net_devi case HDLCDRVCTL_CALIBRATE: if(!capable(CAP_SYS_RAWIO)) return -EPERM; + if (bi.data.calibrate > INT_MAX / s->par.bitrate) + return -EINVAL; s->hdlctx.calibrate = bi.data.calibrate * s->par.bitrate / 16; return 0;