AuxXxilium/linux_dsm_epyc7002
1
0
Fork 0
mirror of https://github.com/AuxXxilium/linux_dsm_epyc7002.git synced 2025-01-18 10:46:12 +07:00
Code Issues Actions Packages Projects Releases Wiki Activity

isdn/gigaset: limit raw CAPI message dump length

Browse Source 
In dump_rawmsg, the length field from a received data package was
used unscrutinized, allowing an attacker to control the size of the
allocated buffer and the number of times the output loop iterates.
Fix by limiting to a reasonable value.

Spotted with Coverity.

Signed-off-by: Tilman Schmidt <tilman@imap.cc>
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Tilman Schmidt 2014-10-11 13:46:29 +02:00 committed by David S. Miller
parent ee7ff5fed2
commit 097933ddcd
1 changed files with 2 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
drivers/isdn/gigaset/capi.c
View File

@ -250,6 +250,8 @@ static inline void dump_rawmsg(enum debuglevel level, const char *tag,
l -= 12;
if (l <= 0)
return;
if (l > 64)
l = 64; /* arbitrary limit */
dbgline = kmalloc(3 * l, GFP_ATOMIC);
if (!dbgline)
return;