diff options
author | Chris Wright <chrisw@sous-sol.org> | 2006-12-04 19:44:59 +0100 |
---|---|---|
committer | Adrian Bunk <bunk@stusta.de> | 2006-12-04 19:44:59 +0100 |
commit | e0d34fea66c5dbe70116acac6f4d722564810dca (patch) | |
tree | a42fa6012da6ffd41acd1e2ea4f926d245cfa6cd /net | |
parent | 25e1dd8a73c6661c03104f53199b501be489888d (diff) | |
download | linux-stable-e0d34fea66c5dbe70116acac6f4d722564810dca.tar.gz linux-stable-e0d34fea66c5dbe70116acac6f4d722564810dca.tar.bz2 linux-stable-e0d34fea66c5dbe70116acac6f4d722564810dca.zip |
bridge: fix possible overflow in get_fdb_entries (CVE-2006-5751)
Make sure to properly clamp maxnum to avoid overflow (CVE-2006-5751).
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Acked-by: Stephen Hemminger <shemminger@osdl.org>
Acked-by: David Miller <davem@davemloft.net>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
Diffstat (limited to 'net')
-rw-r--r-- | net/bridge/br_ioctl.c | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/net/bridge/br_ioctl.c b/net/bridge/br_ioctl.c index 159fb8409824..0d5b0d1ef25f 100644 --- a/net/bridge/br_ioctl.c +++ b/net/bridge/br_ioctl.c @@ -58,12 +58,13 @@ static int get_fdb_entries(struct net_bridge *br, void __user *userbuf, { int num; void *buf; - size_t size = maxnum * sizeof(struct __fdb_entry); + size_t size; - if (size > PAGE_SIZE) { - size = PAGE_SIZE; + /* Clamp size to PAGE_SIZE, test maxnum to avoid overflow */ + if (maxnum > PAGE_SIZE/sizeof(struct __fdb_entry)) maxnum = PAGE_SIZE/sizeof(struct __fdb_entry); - } + + size = maxnum * sizeof(struct __fdb_entry); buf = kmalloc(size, GFP_USER); if (!buf) |