diff options
author | Chris Wright <chrisw@sous-sol.org> | 2006-11-20 15:02:49 -0800 |
---|---|---|
committer | Chris Wright <chrisw@sous-sol.org> | 2006-11-29 11:28:24 -0800 |
commit | 9c45f612e952238e27f14e02b4d09123bf415207 (patch) | |
tree | 0dfc4ae3b9f8b742983ba77af43eee61ff32f772 | |
parent | c929bdcba5133b958b5f913b7de9bdba61025c64 (diff) |
[PATCH] bridge: fix possible overflow in get_fdb_entries (CVE-2006-5751)
Make sure to properly clamp maxnum to avoid overflow (CVE-2006-5751).
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Acked-by: Eugene Teo <eteo@redhat.com>
Acked-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
-rw-r--r-- | net/bridge/br_ioctl.c | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/net/bridge/br_ioctl.c b/net/bridge/br_ioctl.c index 4e4119a1213..4c61a7e0a86 100644 --- a/net/bridge/br_ioctl.c +++ b/net/bridge/br_ioctl.c @@ -58,12 +58,13 @@ static int get_fdb_entries(struct net_bridge *br, void __user *userbuf, { int num; void *buf; - size_t size = maxnum * sizeof(struct __fdb_entry); + size_t size; - if (size > PAGE_SIZE) { - size = PAGE_SIZE; + /* Clamp size to PAGE_SIZE, test maxnum to avoid overflow */ + if (maxnum > PAGE_SIZE/sizeof(struct __fdb_entry)) maxnum = PAGE_SIZE/sizeof(struct __fdb_entry); - } + + size = maxnum * sizeof(struct __fdb_entry); buf = kmalloc(size, GFP_USER); if (!buf) |