mirror of
https://github.com/AuxXxilium/linux_dsm_epyc7002.git
synced 2024-12-02 15:06:46 +07:00
VMCI: integer overflow in vmci_datagram_dispatch()
This is untrusted user data from vmci_host_do_send_datagram() so the VMCI_DG_SIZE() macro can have an integer overflow. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
parent
95e838c915
commit
2e45354645
@ -328,7 +328,8 @@ int vmci_datagram_dispatch(u32 context_id,
|
||||
|
||||
BUILD_BUG_ON(sizeof(struct vmci_datagram) != 24);
|
||||
|
||||
if (VMCI_DG_SIZE(dg) > VMCI_MAX_DG_SIZE) {
|
||||
if (dg->payload_size > VMCI_MAX_DG_SIZE ||
|
||||
VMCI_DG_SIZE(dg) > VMCI_MAX_DG_SIZE) {
|
||||
pr_devel("Payload (size=%llu bytes) too big to send\n",
|
||||
(unsigned long long)dg->payload_size);
|
||||
return VMCI_ERROR_INVALID_ARGS;
|
||||
|
Loading…
Reference in New Issue
Block a user