[PATCH] bridge: fix possible overflow in get_fdb_entries (CVE-2006-5751)

Make sure to properly clamp maxnum to avoid overflow (CVE-2006-5751).

Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Acked-by: Eugene Teo <eteo@redhat.com>
Acked-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>

diff --git a/net/bridge/br_ioctl.c b/net/bridge/br_ioctl.c
index 4e4119a1213925568b8a1acdef9bf52b98b19da3..4c61a7e0a86e1ae9e16867f9f8e4b0412b8edbaf 100644 (file)
--- a/net/bridge/br_ioctl.c
+++ b/net/bridge/br_ioctl.c
@@ -58,12 +58,13 @@ static int get_fdb_entries(struct net_bridge *br, void __user *userbuf,
 {
        int num;
        void *buf;
-       size_t size = maxnum * sizeof(struct __fdb_entry);
+       size_t size;
 
-       if (size > PAGE_SIZE) {
-               size = PAGE_SIZE;
+       /* Clamp size to PAGE_SIZE, test maxnum to avoid overflow */
+       if (maxnum > PAGE_SIZE/sizeof(struct __fdb_entry))
                maxnum = PAGE_SIZE/sizeof(struct __fdb_entry);
-       }
+
+       size = maxnum * sizeof(struct __fdb_entry);
 
        buf = kmalloc(size, GFP_USER);
        if (!buf)