[PATCH 3/5] net/packet: fix overflow in check for tp_frame_nr

Tue, 28 Mar 2017 07:02:58 -0700 

When calculating rb->frames_per_block * req->tp_block_nr the result
can overflow.

Add a check that tp_block_size * tp_block_nr <= UINT_MAX.

Since frames_per_block <= tp_block_size, the expression would
never overflow.

Signed-off-by: Andrey Konovalov <andreyk...@google.com>
---
 net/packet/af_packet.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index 506348abdf2f..c5c43fff8c01 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -4197,6 +4197,9 @@ static int packet_set_ring(struct sock *sk, union 
tpacket_req_u *req_u,
                        goto out;
                if (unlikely(req->tp_frame_size == 0))
                        goto out;
+               if (unlikely((u64)req->tp_block_size * req->tp_block_nr >
+                                       UINT_MAX))
+                       goto out;
 
                if (unlikely(!PAGE_ALIGNED(req->tp_block_size)))
                        goto out;
-- 
2.12.2.564.g063fe858b8-goog

Reply via email to