drivers/net/hamradio: Integer overflow in hdlcdrv_ioctl()

[ Upstream commit e9db5c21d3646a6454fcd04938dd215ac3ab620a ] The local variable 'bi' comes from userspace. If userspace passed a large number to 'bi.data.calibrate', there would be an integer overflow in the following line: s->hdlctx.calibrate = bi.data.calibrate * s->par.bitrate / 16; Signed-off-by: Wenliang Fan <fanwlexca@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Wenliang Fan <fanwlexca@gmail.com> 2013-12-17 11:25:28 +0800
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2014-01-15 15:27:11 -0800
commit: b7e3762c40e1d7f7a147f7d5be9584e1603bea01 (patch)
tree: ef3c6b3dd404c7d6cb7178efc0e923a717cbd30b
parent: 931a701d92ac7449efc5bb7e579f377f5eb565fd (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/drivers/net/hamradio/hdlcdrv.c b/drivers/net/hamradio/hdlcdrv.c
index a4a3516b6bbf..3b3a7e07bbf1 100644
--- a/drivers/net/hamradio/hdlcdrv.c
+++ b/drivers/net/hamradio/hdlcdrv.c
@@ -571,6 +571,8 @@ static int hdlcdrv_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
 	case HDLCDRVCTL_CALIBRATE:
 		if(!capable(CAP_SYS_RAWIO))
 			return -EPERM;
+		if (bi.data.calibrate > INT_MAX / s->par.bitrate)
+			return -EINVAL;
 		s->hdlctx.calibrate = bi.data.calibrate * s->par.bitrate / 16;
 		return 0;
author	Wenliang Fan <fanwlexca@gmail.com>	2013-12-17 11:25:28 +0800
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2014-01-15 15:27:11 -0800
commit	b7e3762c40e1d7f7a147f7d5be9584e1603bea01 (patch)
tree	ef3c6b3dd404c7d6cb7178efc0e923a717cbd30b
parent	931a701d92ac7449efc5bb7e579f377f5eb565fd (diff)