wan/x25_asy: integer overflow in x25_asy_change_mtu()
If "newmtu * 2 + 4" is too large then it can cause an integer overflow leading to memory corruption. Eric Dumazet suggests that 65534 is a reasonable upper limit. Btw, "newmtu" is not allowed to be a negative number because of the check in dev_set_mtu(), so that's ok. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
parent
cc25eaae23
commit
a28d0e873d
|
@ -122,8 +122,12 @@ static int x25_asy_change_mtu(struct net_device *dev, int newmtu)
|
|||
{
|
||||
struct x25_asy *sl = netdev_priv(dev);
|
||||
unsigned char *xbuff, *rbuff;
|
||||
int len = 2 * newmtu;
|
||||
int len;
|
||||
|
||||
if (newmtu > 65534)
|
||||
return -EINVAL;
|
||||
|
||||
len = 2 * newmtu;
|
||||
xbuff = kmalloc(len + 4, GFP_ATOMIC);
|
||||
rbuff = kmalloc(len + 4, GFP_ATOMIC);
|
||||
|
||||
|
|
Loading…
Reference in New Issue