* [patch] rds: fix an integer overflow test in rds_info_getsockopt()
@ 2015-08-01 12:33 ` Dan Carpenter
0 siblings, 0 replies; 4+ messages in thread
From: Dan Carpenter @ 2015-08-01 12:33 UTC (permalink / raw)
To: Chien Yen, Andy Grover
Cc: David S. Miller, rds-devel, netdev, kernel-janitors
"len" is a signed integer. We check that len is not negative, so it
goes from zero to INT_MAX. PAGE_SIZE is unsigned long so the comparison
is type promoted to unsigned long. ULONG_MAX - 4095 is a higher than
INT_MAX so the condition can never be true.
I don't know if this is harmful but it seems safe to limit "len" to
INT_MAX - 4095.
Fixes: a8c879a7ee98 ('RDS: Info and stats')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
diff --git a/net/rds/info.c b/net/rds/info.c
index 9a6b4f6..140a44a 100644
--- a/net/rds/info.c
+++ b/net/rds/info.c
@@ -176,7 +176,7 @@ int rds_info_getsockopt(struct socket *sock, int optname, char __user *optval,
/* check for all kinds of wrapping and the like */
start = (unsigned long)optval;
- if (len < 0 || len + PAGE_SIZE - 1 < len || start + len < start) {
+ if (len < 0 || len > INT_MAX - PAGE_SIZE + 1 || start + len < start) {
ret = -EINVAL;
goto out;
}
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [patch] rds: fix an integer overflow test in rds_info_getsockopt()
@ 2015-08-01 12:33 ` Dan Carpenter
0 siblings, 0 replies; 4+ messages in thread
From: Dan Carpenter @ 2015-08-01 12:33 UTC (permalink / raw)
To: Chien Yen, Andy Grover
Cc: David S. Miller, rds-devel, netdev, kernel-janitors
"len" is a signed integer. We check that len is not negative, so it
goes from zero to INT_MAX. PAGE_SIZE is unsigned long so the comparison
is type promoted to unsigned long. ULONG_MAX - 4095 is a higher than
INT_MAX so the condition can never be true.
I don't know if this is harmful but it seems safe to limit "len" to
INT_MAX - 4095.
Fixes: a8c879a7ee98 ('RDS: Info and stats')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
diff --git a/net/rds/info.c b/net/rds/info.c
index 9a6b4f6..140a44a 100644
--- a/net/rds/info.c
+++ b/net/rds/info.c
@@ -176,7 +176,7 @@ int rds_info_getsockopt(struct socket *sock, int optname, char __user *optval,
/* check for all kinds of wrapping and the like */
start = (unsigned long)optval;
- if (len < 0 || len + PAGE_SIZE - 1 < len || start + len < start) {
+ if (len < 0 || len > INT_MAX - PAGE_SIZE + 1 || start + len < start) {
ret = -EINVAL;
goto out;
}
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [patch] rds: fix an integer overflow test in rds_info_getsockopt()
2015-08-01 12:33 ` Dan Carpenter
@ 2015-08-03 22:20 ` David Miller
-1 siblings, 0 replies; 4+ messages in thread
From: David Miller @ 2015-08-03 22:20 UTC (permalink / raw)
To: dan.carpenter; +Cc: chien.yen, agrover, rds-devel, netdev, kernel-janitors
From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Sat, 1 Aug 2015 15:33:26 +0300
> "len" is a signed integer. We check that len is not negative, so it
> goes from zero to INT_MAX. PAGE_SIZE is unsigned long so the comparison
> is type promoted to unsigned long. ULONG_MAX - 4095 is a higher than
> INT_MAX so the condition can never be true.
>
> I don't know if this is harmful but it seems safe to limit "len" to
> INT_MAX - 4095.
>
> Fixes: a8c879a7ee98 ('RDS: Info and stats')
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Applied, thanks Dan.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [patch] rds: fix an integer overflow test in rds_info_getsockopt()
@ 2015-08-03 22:20 ` David Miller
0 siblings, 0 replies; 4+ messages in thread
From: David Miller @ 2015-08-03 22:20 UTC (permalink / raw)
To: dan.carpenter; +Cc: chien.yen, agrover, rds-devel, netdev, kernel-janitors
From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Sat, 1 Aug 2015 15:33:26 +0300
> "len" is a signed integer. We check that len is not negative, so it
> goes from zero to INT_MAX. PAGE_SIZE is unsigned long so the comparison
> is type promoted to unsigned long. ULONG_MAX - 4095 is a higher than
> INT_MAX so the condition can never be true.
>
> I don't know if this is harmful but it seems safe to limit "len" to
> INT_MAX - 4095.
>
> Fixes: a8c879a7ee98 ('RDS: Info and stats')
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Applied, thanks Dan.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2015-08-03 22:20 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-08-01 12:33 [patch] rds: fix an integer overflow test in rds_info_getsockopt() Dan Carpenter
2015-08-01 12:33 ` Dan Carpenter
2015-08-03 22:20 ` David Miller
2015-08-03 22:20 ` David Miller
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.