Commit be639ac6901a082894771f55c8047d5772de5c27
Committed by
David S. Miller
David S. Miller
1 parent
3b15885930
Exists in
master
and in
6 other branches
NET: AX.25: Check ioctl arguments to avoid overflows further down the road.
Very large, nonsenical arguments or use in very extreme conditions could result in integer overflows. Check ioctls arguments to avoid such overflows and return -EINVAL for too large arguments. To allow the use of AX.25 for even the most extreme setup (think packet radio to the Phase 5E mars probe) we make no further attempt to clamp the argument range. Originally reported by Fan Long <longfancn@gmail.com> and a first patch was sent by Xi Wang <xi.wang@gmail.com>. Signed-off-by: Ralf Baechle <ralf@linux-mips.org> Cc: Xi Wang <xi.wang@gmail.com> Cc: Joerg Reuter <jreuter@yaina.de> Cc: Alan Cox <alan@lxorguk.ukuu.org.uk> Cc: Thomas Osterried <thomas@osterried.de> Signed-off-by: David S. Miller <davem@davemloft.net>
Showing 1 changed file with 11 additions and 6 deletions Side-by-side Diff
net/ax25/af_ax25.c
| ... | ... | @@ -402,14 +402,14 @@ |
| 402 | 402 | break; |
| 403 | 403 | |
| 404 | 404 | case AX25_T1: |
| 405 | - if (ax25_ctl.arg < 1) | |
| 405 | + if (ax25_ctl.arg < 1 || ax25_ctl.arg > ULONG_MAX / HZ) | |
| 406 | 406 | goto einval_put; |
| 407 | 407 | ax25->rtt = (ax25_ctl.arg * HZ) / 2; |
| 408 | 408 | ax25->t1 = ax25_ctl.arg * HZ; |
| 409 | 409 | break; |
| 410 | 410 | |
| 411 | 411 | case AX25_T2: |
| 412 | - if (ax25_ctl.arg < 1) | |
| 412 | + if (ax25_ctl.arg < 1 || ax25_ctl.arg > ULONG_MAX / HZ) | |
| 413 | 413 | goto einval_put; |
| 414 | 414 | ax25->t2 = ax25_ctl.arg * HZ; |
| 415 | 415 | break; |
| 416 | 416 | |
| ... | ... | @@ -422,10 +422,15 @@ |
| 422 | 422 | break; |
| 423 | 423 | |
| 424 | 424 | case AX25_T3: |
| 425 | + if (ax25_ctl.arg > ULONG_MAX / HZ) | |
| 426 | + goto einval_put; | |
| 425 | 427 | ax25->t3 = ax25_ctl.arg * HZ; |
| 426 | 428 | break; |
| 427 | 429 | |
| 428 | 430 | case AX25_IDLE: |
| 431 | + if (ax25_ctl.arg > ULONG_MAX / (60 * HZ)) | |
| 432 | + goto einval_put; | |
| 433 | + | |
| 429 | 434 | ax25->idle = ax25_ctl.arg * 60 * HZ; |
| 430 | 435 | break; |
| 431 | 436 | |
| ... | ... | @@ -571,7 +576,7 @@ |
| 571 | 576 | break; |
| 572 | 577 | |
| 573 | 578 | case AX25_T1: |
| 574 | - if (opt < 1) { | |
| 579 | + if (opt < 1 || opt > ULONG_MAX / HZ) { | |
| 575 | 580 | res = -EINVAL; |
| 576 | 581 | break; |
| 577 | 582 | } |
| ... | ... | @@ -580,7 +585,7 @@ |
| 580 | 585 | break; |
| 581 | 586 | |
| 582 | 587 | case AX25_T2: |
| 583 | - if (opt < 1) { | |
| 588 | + if (opt < 1 || opt > ULONG_MAX / HZ) { | |
| 584 | 589 | res = -EINVAL; |
| 585 | 590 | break; |
| 586 | 591 | } |
| ... | ... | @@ -596,7 +601,7 @@ |
| 596 | 601 | break; |
| 597 | 602 | |
| 598 | 603 | case AX25_T3: |
| 599 | - if (opt < 1) { | |
| 604 | + if (opt < 1 || opt > ULONG_MAX / HZ) { | |
| 600 | 605 | res = -EINVAL; |
| 601 | 606 | break; |
| 602 | 607 | } |
| ... | ... | @@ -604,7 +609,7 @@ |
| 604 | 609 | break; |
| 605 | 610 | |
| 606 | 611 | case AX25_IDLE: |
| 607 | - if (opt < 0) { | |
| 612 | + if (opt < 0 || opt > ULONG_MAX / (60 * HZ)) { | |
| 608 | 613 | res = -EINVAL; |
| 609 | 614 | break; |
| 610 | 615 | } |