diff options
author | Tilman Schmidt <tilman@imap.cc> | 2014-10-11 13:46:29 +0200 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2014-10-14 21:05:33 +0200 |
commit | 097933ddcd28ef99c116651b20fd2e06717e0f0d (patch) | |
tree | daba40194d81bd13eb0689e3668bae0988137a8d | |
parent | isdn/gigaset: make sure controller name is null terminated (diff) | |
download | linux-097933ddcd28ef99c116651b20fd2e06717e0f0d.tar.xz linux-097933ddcd28ef99c116651b20fd2e06717e0f0d.zip |
isdn/gigaset: limit raw CAPI message dump length
In dump_rawmsg, the length field from a received data package was
used unscrutinized, allowing an attacker to control the size of the
allocated buffer and the number of times the output loop iterates.
Fix by limiting to a reasonable value.
Spotted with Coverity.
Signed-off-by: Tilman Schmidt <tilman@imap.cc>
Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r-- | drivers/isdn/gigaset/capi.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/drivers/isdn/gigaset/capi.c b/drivers/isdn/gigaset/capi.c index 044392cba262..47e2a913a6ef 100644 --- a/drivers/isdn/gigaset/capi.c +++ b/drivers/isdn/gigaset/capi.c @@ -250,6 +250,8 @@ static inline void dump_rawmsg(enum debuglevel level, const char *tag, l -= 12; if (l <= 0) return; + if (l > 64) + l = 64; /* arbitrary limit */ dbgline = kmalloc(3 * l, GFP_ATOMIC); if (!dbgline) return; |