aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChris Wright <chrisw@sous-sol.org>2006-12-04 19:44:59 +0100
committerAdrian Bunk <bunk@stusta.de>2006-12-04 19:44:59 +0100
commite0d34fea66c5dbe70116acac6f4d722564810dca (patch)
treea42fa6012da6ffd41acd1e2ea4f926d245cfa6cd
parent25e1dd8a73c6661c03104f53199b501be489888d (diff)
bridge: fix possible overflow in get_fdb_entries (CVE-2006-5751)
Make sure to properly clamp maxnum to avoid overflow (CVE-2006-5751). Signed-off-by: Chris Wright <chrisw@sous-sol.org> Acked-by: Stephen Hemminger <shemminger@osdl.org> Acked-by: David Miller <davem@davemloft.net> Signed-off-by: Adrian Bunk <bunk@stusta.de>
-rw-r--r--net/bridge/br_ioctl.c9
1 files changed, 5 insertions, 4 deletions
diff --git a/net/bridge/br_ioctl.c b/net/bridge/br_ioctl.c
index 159fb840982..0d5b0d1ef25 100644
--- a/net/bridge/br_ioctl.c
+++ b/net/bridge/br_ioctl.c
@@ -58,12 +58,13 @@ static int get_fdb_entries(struct net_bridge *br, void __user *userbuf,
{
int num;
void *buf;
- size_t size = maxnum * sizeof(struct __fdb_entry);
+ size_t size;
- if (size > PAGE_SIZE) {
- size = PAGE_SIZE;
+ /* Clamp size to PAGE_SIZE, test maxnum to avoid overflow */
+ if (maxnum > PAGE_SIZE/sizeof(struct __fdb_entry))
maxnum = PAGE_SIZE/sizeof(struct __fdb_entry);
- }
+
+ size = maxnum * sizeof(struct __fdb_entry);
buf = kmalloc(size, GFP_USER);
if (!buf)