netrom: avoid overflows in nr_setsockopt()

Check setsockopt arguments to avoid overflows and return -EINVAL for too large arguments. Signed-off-by: Xi Wang <xi.wang@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>

netrom: avoid overflows in nr_setsockopt()
Check setsockopt arguments to avoid overflows and return -EINVAL for too large arguments. Signed-off-by: Xi Wang <xi.wang@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Xi Wang · David S. Miller
1 parent ba1cffe025
Showing 1 changed file with 7 additions and 7 deletions Side-by-side Diff
net/netrom/af_netrom.c
@@ -306,26 +306,26 @@
 {
 	struct sock *sk = sock->sk;
 	struct nr_sock *nr = nr_sk(sk);
-	int opt;
+	unsigned long opt;
  
 	if (level != SOL_NETROM)
 		return -ENOPROTOOPT;
  
-	if (optlen < sizeof(int))
+	if (optlen < sizeof(unsigned int))
 		return -EINVAL;
  
-	if (get_user(opt, (int __user *)optval))
+	if (get_user(opt, (unsigned int __user *)optval))
 		return -EFAULT;
  
 	switch (optname) {
 	case NETROM_T1:
-		if (opt < 1)
+		if (opt < 1 || opt > ULONG_MAX / HZ)
 			return -EINVAL;
 		nr->t1 = opt * HZ;
 		return 0;
  
 	case NETROM_T2:
-		if (opt < 1)
+		if (opt < 1 || opt > ULONG_MAX / HZ)
 			return -EINVAL;
 		nr->t2 = opt * HZ;
 		return 0;
  
@@ -337,13 +337,13 @@
 		return 0;
  
 	case NETROM_T4:
-		if (opt < 1)
+		if (opt < 1 || opt > ULONG_MAX / HZ)
 			return -EINVAL;
 		nr->t4 = opt * HZ;
 		return 0;
  
 	case NETROM_IDLE:
-		if (opt < 0)
+		if (opt > ULONG_MAX / (60 * HZ))
 			return -EINVAL;
 		nr->idle = opt * 60 * HZ;
 		return 0;
...	...	@@ -306,26 +306,26 @@
306	306	{
307	307	struct sock *sk = sock->sk;
308	308	struct nr_sock *nr = nr_sk(sk);
309		- int opt;
	309	+ unsigned long opt;
310	310
311	311	if (level != SOL_NETROM)
312	312	return -ENOPROTOOPT;
313	313
314		- if (optlen < sizeof(int))
	314	+ if (optlen < sizeof(unsigned int))
315	315	return -EINVAL;
316	316
317		- if (get_user(opt, (int __user *)optval))
	317	+ if (get_user(opt, (unsigned int __user *)optval))
318	318	return -EFAULT;
319	319
320	320	switch (optname) {
321	321	case NETROM_T1:
322		- if (opt < 1)
	322	+ if (opt < 1 \|\| opt > ULONG_MAX / HZ)
323	323	return -EINVAL;
324	324	nr->t1 = opt * HZ;
325	325	return 0;
326	326
327	327	case NETROM_T2:
328		- if (opt < 1)
	328	+ if (opt < 1 \|\| opt > ULONG_MAX / HZ)
329	329	return -EINVAL;
330	330	nr->t2 = opt * HZ;
331	331	return 0;
332	332
...	...	@@ -337,13 +337,13 @@
337	337	return 0;
338	338
339	339	case NETROM_T4:
340		- if (opt < 1)
	340	+ if (opt < 1 \|\| opt > ULONG_MAX / HZ)
341	341	return -EINVAL;
342	342	nr->t4 = opt * HZ;
343	343	return 0;
344	344
345	345	case NETROM_IDLE:
346		- if (opt < 0)
	346	+ if (opt > ULONG_MAX / (60 * HZ))
347	347	return -EINVAL;
348	348	nr->idle = opt * 60 * HZ;
349	349	return 0;