| Message ID | 36d3e64c941166c19c80987fcd692fece72ced17.1413021630.git.tilman@imap.cc |
|---|---|
| State | Accepted, archived |
| Delegated to: | David Miller |
| Headers | show |
diff --git a/drivers/isdn/gigaset/capi.c b/drivers/isdn/gigaset/capi.c index 044392c..47e2a91 100644 --- a/drivers/isdn/gigaset/capi.c +++ b/drivers/isdn/gigaset/capi.c @@ -250,6 +250,8 @@ static inline void dump_rawmsg(enum debuglevel level, const char *tag, l -= 12; if (l <= 0) return; + if (l > 64) + l = 64; /* arbitrary limit */ dbgline = kmalloc(3 * l, GFP_ATOMIC); if (!dbgline) return;
In dump_rawmsg, the length field from a received data package was used unscrutinized, allowing an attacker to control the size of the allocated buffer and the number of times the output loop iterates. Fix by limiting to a reasonable value. Spotted with Coverity. Signed-off-by: Tilman Schmidt <tilman@imap.cc> --- drivers/isdn/gigaset/capi.c | 2 ++ 1 file changed, 2 insertions(+)