From: Tilman Schmidt Date: Sat, 11 Oct 2014 11:46:29 +0000 (+0200) Subject: isdn/gigaset: limit raw CAPI message dump length X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=097933ddcd28ef99c116651b20fd2e06717e0f0d;p=GitHub%2Fmoto-9609%2Fandroid_kernel_motorola_exynos9610.git isdn/gigaset: limit raw CAPI message dump length In dump_rawmsg, the length field from a received data package was used unscrutinized, allowing an attacker to control the size of the allocated buffer and the number of times the output loop iterates. Fix by limiting to a reasonable value. Spotted with Coverity. Signed-off-by: Tilman Schmidt Signed-off-by: David S. Miller --- diff --git a/drivers/isdn/gigaset/capi.c b/drivers/isdn/gigaset/capi.c index 044392cba262..47e2a913a6ef 100644 --- a/drivers/isdn/gigaset/capi.c +++ b/drivers/isdn/gigaset/capi.c @@ -250,6 +250,8 @@ static inline void dump_rawmsg(enum debuglevel level, const char *tag, l -= 12; if (l <= 0) return; + if (l > 64) + l = 64; /* arbitrary limit */ dbgline = kmalloc(3 * l, GFP_ATOMIC); if (!dbgline) return;