drivers/net/hamradio: Integer overflow in hdlcdrv_ioctl()

[ Upstream commit e9db5c21d3646a6454fcd04938dd215ac3ab620a ] The local variable 'bi' comes from userspace. If userspace passed a large number to 'bi.data.calibrate', there would be an integer overflow in the following line: s->hdlctx.calibrate = bi.data.calibrate * s->par.bitrate / 16; Signed-off-by: Wenliang Fan <fanwlexca@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Willy Tarreau <w@1wt.eu>
author: Wenliang Fan <fanwlexca@gmail.com> 2013-12-17 11:25:28 +0800
committer: Willy Tarreau <w@1wt.eu> 2014-05-19 07:54:08 +0200
commit: 7985df5a4f2b8431a831c3d4b12dff14e0efa12e (patch)
tree: fb1eaec61969f39775691fa34ea3c66293eef366
parent: dc332885abd71f603e01d8b27636a935c313d1c2 (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/drivers/net/hamradio/hdlcdrv.c b/drivers/net/hamradio/hdlcdrv.c
index 91c5790c9581..c1b265d7d6da 100644
--- a/drivers/net/hamradio/hdlcdrv.c
+++ b/drivers/net/hamradio/hdlcdrv.c
@@ -572,6 +572,8 @@ static int hdlcdrv_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
 	case HDLCDRVCTL_CALIBRATE:
 		if(!capable(CAP_SYS_RAWIO))
 			return -EPERM;
+		if (bi.data.calibrate > INT_MAX / s->par.bitrate)
+			return -EINVAL;
 		s->hdlctx.calibrate = bi.data.calibrate * s->par.bitrate / 16;
 		return 0;
author	Wenliang Fan <fanwlexca@gmail.com>	2013-12-17 11:25:28 +0800
committer	Willy Tarreau <w@1wt.eu>	2014-05-19 07:54:08 +0200
commit	7985df5a4f2b8431a831c3d4b12dff14e0efa12e (patch)
tree	fb1eaec61969f39775691fa34ea3c66293eef366
parent	dc332885abd71f603e01d8b27636a935c313d1c2 (diff)