Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit ba8379b2 authored by Chris Wright's avatar Chris Wright Committed by Linus Torvalds
Browse files

[PATCH] bridge: fix possible overflow in get_fdb_entries 



Make sure to properly clamp maxnum to avoid overflow

Signed-off-by: default avatarChris Wright <chrisw@sous-sol.org>
Acked-by: default avatarEugene Teo <eteo@redhat.com>
Acked-by: default avatarMarcel Holtmann <marcel@holtmann.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
parent 24d7bb33

net/bridge/br_ioctl.c

+5 −4
Original line number Diff line number Diff line
@@ -58,12 +58,13 @@ static int get_fdb_entries(struct net_bridge *br, void __user *userbuf, 
{

	int num;

	void *buf;

	size_t size = maxnum * sizeof(struct __fdb_entry);

	size_t size;



	if (size > PAGE_SIZE) {

		size = PAGE_SIZE;

	/* Clamp size to PAGE_SIZE, test maxnum to avoid overflow */

	if (maxnum > PAGE_SIZE/sizeof(struct __fdb_entry))

		maxnum = PAGE_SIZE/sizeof(struct __fdb_entry);

	}



	size = maxnum * sizeof(struct __fdb_entry);



	buf = kmalloc(size, GFP_USER);

	if (!buf)