drivers/message/i2o/i2o_config.c: bound allocation
authorAlan Cox <alan@linux.intel.com>
Mon, 30 Jul 2012 21:41:30 +0000 (14:41 -0700)
committerLinus Torvalds <torvalds@linux-foundation.org>
Tue, 31 Jul 2012 00:25:17 +0000 (17:25 -0700)
Fix a case where users can try to allocate arbitarily large amounts of
memory. 64K is overkill for a config request so apply an upper bound.

Signed-off-by: Alan Cox <alan@linux.intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
drivers/message/i2o/i2o_config.c

index 098de2b35784a44cc4d5b9baeb08898a6a5ed805..9a49c243a6ac59c78c98cd9de021429d44aa8908 100644 (file)
@@ -188,6 +188,13 @@ static int i2o_cfg_parms(unsigned long arg, unsigned int type)
        if (!dev)
                return -ENXIO;
 
+       /*
+        * Stop users being able to try and allocate arbitary amounts
+        * of DMA space. 64K is way more than sufficient for this.
+        */
+       if (kcmd.oplen > 65536)
+               return -EMSGSIZE;
+
        ops = memdup_user(kcmd.opbuf, kcmd.oplen);
        if (IS_ERR(ops))
                return PTR_ERR(ops);