| From bc60935376fb0326e2c53253bc7baf925c0f77b5 Mon Sep 17 00:00:00 2001 |
| From: Andrey Konovalov <andreyknvl@google.com> |
| Date: Wed, 29 Mar 2017 16:11:21 +0200 |
| Subject: [PATCH] net/packet: fix overflow in check for tp_frame_nr |
| |
| commit 8f8d28e4d6d815a391285e121c3a53a0b6cb9e7b upstream. |
| |
| When calculating rb->frames_per_block * req->tp_block_nr the result |
| can overflow. |
| |
| Add a check that tp_block_size * tp_block_nr <= UINT_MAX. |
| |
| Since frames_per_block <= tp_block_size, the expression would |
| never overflow. |
| |
| Signed-off-by: Andrey Konovalov <andreyknvl@google.com> |
| Acked-by: Eric Dumazet <edumazet@google.com> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> |
| |
| diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c |
| index 4df49bae4f1f..9b8c04498e7d 100644 |
| --- a/net/packet/af_packet.c |
| +++ b/net/packet/af_packet.c |
| @@ -4234,6 +4234,8 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u, |
| rb->frames_per_block = req->tp_block_size / req->tp_frame_size; |
| if (unlikely(rb->frames_per_block == 0)) |
| goto out; |
| + if (unlikely(req->tp_block_size > UINT_MAX / req->tp_block_nr)) |
| + goto out; |
| if (unlikely((rb->frames_per_block * req->tp_block_nr) != |
| req->tp_frame_nr)) |
| goto out; |
| -- |
| 2.12.0 |
| |