tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
[PATCH] bridge: fix possible overflow in get_fdb_entries
Make sure to properly clamp maxnum to avoid overflow
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Acked-by: Eugene Teo <eteo@redhat.com>
Acked-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
authored by
Chris Wright
and committed by
Linus Torvalds
ba8379b2
24d7bb33
+5
-4
+5
-4
net/bridge/br_ioctl.c
+5
-4
net/bridge/br_ioctl.c
···
58
58
{
59
59
int num;
60
60
void *buf;
61
-
size_t size = maxnum * sizeof(struct __fdb_entry);
61
+
size_t size;
62
62
63
-
if (size > PAGE_SIZE) {
64
-
size = PAGE_SIZE;
63
+
/* Clamp size to PAGE_SIZE, test maxnum to avoid overflow */
64
+
if (maxnum > PAGE_SIZE/sizeof(struct __fdb_entry))
65
65
maxnum = PAGE_SIZE/sizeof(struct __fdb_entry);
66
-
}
66
+
67
+
size = maxnum * sizeof(struct __fdb_entry);
67
68
68
69
buf = kmalloc(size, GFP_USER);
69
70
if (!buf)