Commit 097933dd authored Oct 11, 2014 by Tilman Schmidt Committed by David S. Miller Oct 14, 2014

isdn/gigaset: limit raw CAPI message dump length



In dump_rawmsg, the length field from a received data package was
used unscrutinized, allowing an attacker to control the size of the
allocated buffer and the number of times the output loop iterates.
Fix by limiting to a reasonable value.

Spotted with Coverity.

Signed-off-by: Tilman Schmidt <tilman@imap.cc>
Signed-off-by: David S. Miller <davem@davemloft.net>

parent ee7ff5fe

drivers/isdn/gigaset/capi.c

+2 −0

Original line number	Diff line number	Diff line
		@@ -250,6 +250,8 @@ static inline void dump_rawmsg(enum debuglevel level, const char *tag,
		l -= 12;
		if (l <= 0)
		return;
		if (l > 64)
		l = 64; /* arbitrary limit */
		dbgline = kmalloc(3 * l, GFP_ATOMIC);
		if (!dbgline)
		return;