iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

rps: fix insufficient bounds checking in store_rps_dev_flow_table_cnt()

Browse Source 
Setting a large rps_flow_cnt like (1 << 30) on 32-bit platform will
cause a kernel oops due to insufficient bounds checking.

	if (count > 1<<30) {
		/* Enforce a limit to prevent overflow */
		return -EINVAL;
	}
	count = roundup_pow_of_two(count);
	table = vmalloc(RPS_DEV_FLOW_TABLE_SIZE(count));

Note that the macro RPS_DEV_FLOW_TABLE_SIZE(count) is defined as:

	... + (count * sizeof(struct rps_dev_flow))

where sizeof(struct rps_dev_flow) is 8.  (1 << 30) * 8 will overflow
32 bits.

This patch replaces the magic number (1 << 30) with a symbolic bound.

Suggested-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Xi Wang
2011-12-22 13:35:22 +00:00
committed by David S. Miller
parent e688a60480
commit a0a129f8b6
1 changed files with 5 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
net/core/net-sysfs.c
View File

@ -665,11 +665,14 @@ static ssize_t store_rps_dev_flow_table_cnt(struct netdev_rx_queue *queue,
if (count) { if (count) {
int i; int i;
if (count > 1<<30) { if (count > INT_MAX)
return -EINVAL;
count = roundup_pow_of_two(count);
if (count > (ULONG_MAX - sizeof(struct rps_dev_flow_table))
/ sizeof(struct rps_dev_flow)) {
/* Enforce a limit to prevent overflow */ /* Enforce a limit to prevent overflow */
return -EINVAL; return -EINVAL;
} }
count = roundup_pow_of_two(count);
table = vmalloc(RPS_DEV_FLOW_TABLE_SIZE(count)); table = vmalloc(RPS_DEV_FLOW_TABLE_SIZE(count));
if (!table) if (!table)
return -ENOMEM; return -ENOMEM;