@@ -4188,8 +4188,16 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
}
err = -EINVAL;
- if (unlikely((int)req->tp_block_size <= 0))
+
+ if (unlikely(req->tp_block_size > INT_MAX))
+ goto out;
+ if (unlikely(req->tp_block_size == 0))
+ goto out;
+ if (unlikely(req->tp_frame_size > req->tp_block_size))
goto out;
+ if (unlikely(req->tp_frame_size == 0))
+ goto out;
+
if (unlikely(!PAGE_ALIGNED(req->tp_block_size)))
goto out;
if (po->tp_version >= TPACKET_V3 &&
@@ -4203,8 +4211,6 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
goto out;
rb->frames_per_block = req->tp_block_size / req->tp_frame_size;
- if (unlikely(rb->frames_per_block == 0))
- goto out;
if (unlikely((rb->frames_per_block * req->tp_block_nr) !=
req->tp_frame_nr))
goto out;
tp_frame_size can't be 0 or be larger than tp_block_size. As a result the check for frames_per_block == 0 is not needed any more. Also do explicit checks for tp_block_size, instead of casting to int. Signed-off-by: Andrey Konovalov <andreyknvl@google.com> --- net/packet/af_packet.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-)