diff options
author | Xi Wang <xi.wang@gmail.com> | 2011-12-22 13:35:22 +0000 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2011-12-22 22:34:56 -0500 |
commit | a0a129f8b6cff54ab479324a54aefdab5db4f240 (patch) | |
tree | d3e74b3a59e0fd9c1173852d200eb8491918a3ff | |
parent | e688a604807647c9450f9c12a7cb6d027150a895 (diff) | |
download | blackbird-op-linux-a0a129f8b6cff54ab479324a54aefdab5db4f240.tar.gz blackbird-op-linux-a0a129f8b6cff54ab479324a54aefdab5db4f240.zip |
rps: fix insufficient bounds checking in store_rps_dev_flow_table_cnt()
Setting a large rps_flow_cnt like (1 << 30) on 32-bit platform will
cause a kernel oops due to insufficient bounds checking.
if (count > 1<<30) {
/* Enforce a limit to prevent overflow */
return -EINVAL;
}
count = roundup_pow_of_two(count);
table = vmalloc(RPS_DEV_FLOW_TABLE_SIZE(count));
Note that the macro RPS_DEV_FLOW_TABLE_SIZE(count) is defined as:
... + (count * sizeof(struct rps_dev_flow))
where sizeof(struct rps_dev_flow) is 8. (1 << 30) * 8 will overflow
32 bits.
This patch replaces the magic number (1 << 30) with a symbolic bound.
Suggested-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r-- | net/core/net-sysfs.c | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/net/core/net-sysfs.c b/net/core/net-sysfs.c index c71c434a4c05..385aefe53648 100644 --- a/net/core/net-sysfs.c +++ b/net/core/net-sysfs.c @@ -665,11 +665,14 @@ static ssize_t store_rps_dev_flow_table_cnt(struct netdev_rx_queue *queue, if (count) { int i; - if (count > 1<<30) { + if (count > INT_MAX) + return -EINVAL; + count = roundup_pow_of_two(count); + if (count > (ULONG_MAX - sizeof(struct rps_dev_flow_table)) + / sizeof(struct rps_dev_flow)) { /* Enforce a limit to prevent overflow */ return -EINVAL; } - count = roundup_pow_of_two(count); table = vmalloc(RPS_DEV_FLOW_TABLE_SIZE(count)); if (!table) return -ENOMEM; |