diff options
author | Xi Wang <xi.wang@gmail.com> | 2011-12-22 13:35:22 (GMT) |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2011-12-23 03:34:56 (GMT) |
commit | a0a129f8b6cff54ab479324a54aefdab5db4f240 (patch) | |
tree | d3e74b3a59e0fd9c1173852d200eb8491918a3ff /net/econet | |
parent | e688a604807647c9450f9c12a7cb6d027150a895 (diff) | |
download | linux-a0a129f8b6cff54ab479324a54aefdab5db4f240.tar.xz |
rps: fix insufficient bounds checking in store_rps_dev_flow_table_cnt()
Setting a large rps_flow_cnt like (1 << 30) on 32-bit platform will
cause a kernel oops due to insufficient bounds checking.
if (count > 1<<30) {
/* Enforce a limit to prevent overflow */
return -EINVAL;
}
count = roundup_pow_of_two(count);
table = vmalloc(RPS_DEV_FLOW_TABLE_SIZE(count));
Note that the macro RPS_DEV_FLOW_TABLE_SIZE(count) is defined as:
... + (count * sizeof(struct rps_dev_flow))
where sizeof(struct rps_dev_flow) is 8. (1 << 30) * 8 will overflow
32 bits.
This patch replaces the magic number (1 << 30) with a symbolic bound.
Suggested-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/econet')
0 files changed, 0 insertions, 0 deletions