rps: fix insufficient bounds checking in store_rps_dev_flow_table_cnt()
Setting a large rps_flow_cnt like (1 << 30) on 32-bit platform will cause a kernel oops due to insufficient bounds checking. if (count > 1<<30) { /* Enforce a limit to prevent overflow */ return -EINVAL; } count = roundup_pow_of_two(count); table = vmalloc(RPS_DEV_FLOW_TABLE_SIZE(count)); Note that the macro RPS_DEV_FLOW_TABLE_SIZE(count) is defined as: ... + (count * sizeof(struct rps_dev_flow)) where sizeof(struct rps_dev_flow) is 8. (1 << 30) * 8 will overflow 32 bits. This patch replaces the magic number (1 << 30) with a symbolic bound. Suggested-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: Xi Wang <xi.wang@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
parent
e688a60480
commit
a0a129f8b6
|
@ -665,11 +665,14 @@ static ssize_t store_rps_dev_flow_table_cnt(struct netdev_rx_queue *queue,
|
|||
if (count) {
|
||||
int i;
|
||||
|
||||
if (count > 1<<30) {
|
||||
if (count > INT_MAX)
|
||||
return -EINVAL;
|
||||
count = roundup_pow_of_two(count);
|
||||
if (count > (ULONG_MAX - sizeof(struct rps_dev_flow_table))
|
||||
/ sizeof(struct rps_dev_flow)) {
|
||||
/* Enforce a limit to prevent overflow */
|
||||
return -EINVAL;
|
||||
}
|
||||
count = roundup_pow_of_two(count);
|
||||
table = vmalloc(RPS_DEV_FLOW_TABLE_SIZE(count));
|
||||
if (!table)
|
||||
return -ENOMEM;
|
||||
|
|
Loading…
Reference in New Issue