Commit 32288eb4 authored by Xi Wang's avatar Xi Wang Committed by David S. Miller

netrom: avoid overflows in nr_setsockopt()

Check setsockopt arguments to avoid overflows and return -EINVAL for
too large arguments.
Signed-off-by: default avatarXi Wang <xi.wang@gmail.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent ba1cffe0
...@@ -306,26 +306,26 @@ static int nr_setsockopt(struct socket *sock, int level, int optname, ...@@ -306,26 +306,26 @@ static int nr_setsockopt(struct socket *sock, int level, int optname,
{ {
struct sock *sk = sock->sk; struct sock *sk = sock->sk;
struct nr_sock *nr = nr_sk(sk); struct nr_sock *nr = nr_sk(sk);
int opt; unsigned long opt;
if (level != SOL_NETROM) if (level != SOL_NETROM)
return -ENOPROTOOPT; return -ENOPROTOOPT;
if (optlen < sizeof(int)) if (optlen < sizeof(unsigned int))
return -EINVAL; return -EINVAL;
if (get_user(opt, (int __user *)optval)) if (get_user(opt, (unsigned int __user *)optval))
return -EFAULT; return -EFAULT;
switch (optname) { switch (optname) {
case NETROM_T1: case NETROM_T1:
if (opt < 1) if (opt < 1 || opt > ULONG_MAX / HZ)
return -EINVAL; return -EINVAL;
nr->t1 = opt * HZ; nr->t1 = opt * HZ;
return 0; return 0;
case NETROM_T2: case NETROM_T2:
if (opt < 1) if (opt < 1 || opt > ULONG_MAX / HZ)
return -EINVAL; return -EINVAL;
nr->t2 = opt * HZ; nr->t2 = opt * HZ;
return 0; return 0;
...@@ -337,13 +337,13 @@ static int nr_setsockopt(struct socket *sock, int level, int optname, ...@@ -337,13 +337,13 @@ static int nr_setsockopt(struct socket *sock, int level, int optname,
return 0; return 0;
case NETROM_T4: case NETROM_T4:
if (opt < 1) if (opt < 1 || opt > ULONG_MAX / HZ)
return -EINVAL; return -EINVAL;
nr->t4 = opt * HZ; nr->t4 = opt * HZ;
return 0; return 0;
case NETROM_IDLE: case NETROM_IDLE:
if (opt < 0) if (opt > ULONG_MAX / (60 * HZ))
return -EINVAL; return -EINVAL;
nr->idle = opt * 60 * HZ; nr->idle = opt * 60 * HZ;
return 0; return 0;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment