CVE-2010-2959 kernel: can: add limit for nframes and clean up signed/unsigned variables

[Eugene Teo <eugeneteo () kernel sg>]

Upstream commit: 5b75c4973ce779520b9d1e392483207d6f842cde

Discovered by Ben Hawkes. From the description of the patch: "This patch 
adds a limit for nframes as the number of frames in TX_SETUP and 
RX_SETUP are derived from a single byte multiplex value by default. 
Use-cases that would require to send/filter more than 256 CAN frames 
should be implemented in userspace for complexity reasons anyway.

Additionally the assignments of unsigned values from userspace to signed 
values in kernelspace and vice versa are fixed by using unsigned values 
in kernelspace consistently."

This can lead to a local denial of service or privilege escalation.

This can be mitigated by blacklisting the can/can_bcm modules.

https://bugzilla.redhat.com/CVE-2010-2959

I got the CVE name from a recent Ubuntu advisory.

Thanks, Eugene
--
main(i) { putchar(182623909 >> (i-1) * 5&31|!!(i<7)<<6) && main(++i); }