These two functions are called in sendmsg path, and the
'len' is passed from user-space, so we should not allow
malicious users to OOM kernel on purpose.
Reported-by: Dmitry Vyukov <dvyu...@google.com>
Cc: Lauro Ramos Venancio <lauro.venan...@openbossa.org>
Cc: Aloisio Almeida Jr <aloisio.alme...@openbossa.org>
Cc: Samuel Ortiz <sa...@linux.intel.com>
Signed-off-by: Cong Wang <xiyou.wangc...@gmail.com>
---
net/nfc/llcp_commands.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/nfc/llcp_commands.c b/net/nfc/llcp_commands.c
index 3621a90..3425532 100644
--- a/net/nfc/llcp_commands.c
+++ b/net/nfc/llcp_commands.c
@@ -663,7 +663,7 @@ int nfc_llcp_send_i_frame(struct nfc_llcp_sock *sock,
return -ENOBUFS;
}
- msg_data = kzalloc(len, GFP_KERNEL);
+ msg_data = kmalloc(len, GFP_USER | __GFP_NOWARN);
if (msg_data == NULL)
return -ENOMEM;
@@ -729,7 +729,7 @@ int nfc_llcp_send_ui_frame(struct nfc_llcp_sock *sock, u8
ssap, u8 dsap,
if (local == NULL)
return -ENODEV;
- msg_data = kzalloc(len, GFP_KERNEL);
+ msg_data = kmalloc(len, GFP_USER | __GFP_NOWARN);
if (msg_data == NULL)
return -ENOMEM;
--
1.8.3.1
