From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Dan Carpenter <dan.carpenter@oracle.com>,
"Michael S. Tsirkin" <mst@redhat.com>,
Neil Horman <nhorman@tuxdriver.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [ 10/23] tun: signedness bug in tun_get_user()
Date: Thu, 12 Sep 2013 10:45:06 -0700 [thread overview]
Message-ID: <20130912174452.868503548@linuxfoundation.org> (raw)
In-Reply-To: <20130912174451.748805761@linuxfoundation.org>
3.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@oracle.com>
[ Upstream commit 15718ea0d844e4816dbd95d57a8a0e3e264ba90e ]
The recent fix d9bf5f1309 "tun: compare with 0 instead of total_len" is
not totally correct. Because "len" and "sizeof()" are size_t type, that
means they are never less than zero.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/tun.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -615,8 +615,9 @@ static ssize_t tun_get_user(struct tun_s
int offset = 0;
if (!(tun->flags & TUN_NO_PI)) {
- if ((len -= sizeof(pi)) > count)
+ if (len < sizeof(pi))
return -EINVAL;
+ len -= sizeof(pi);
if (memcpy_fromiovecend((void *)&pi, iv, 0, sizeof(pi)))
return -EFAULT;
@@ -624,8 +625,9 @@ static ssize_t tun_get_user(struct tun_s
}
if (tun->flags & TUN_VNET_HDR) {
- if ((len -= tun->vnet_hdr_sz) > count)
+ if (len < tun->vnet_hdr_sz)
return -EINVAL;
+ len -= tun->vnet_hdr_sz;
if (memcpy_fromiovecend((void *)&gso, iv, offset, sizeof(gso)))
return -EFAULT;
next prev parent reply other threads:[~2013-09-12 17:49 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-09-12 17:44 [ 00/23] 3.4.62-stable review Greg Kroah-Hartman
2013-09-12 17:44 ` [ 01/23] htb: fix sign extension bug Greg Kroah-Hartman
2013-09-13 5:04 ` [00/23] 3.4.62-stable review Guenter Roeck
2013-09-13 12:35 ` Greg Kroah-Hartman
2013-09-12 17:44 ` [ 02/23] net: check net.core.somaxconn sysctl values Greg Kroah-Hartman
2013-09-12 17:44 ` [ 03/23] neighbour: populate neigh_parms on alloc before calling ndo_neigh_setup Greg Kroah-Hartman
2013-09-12 17:45 ` [ 04/23] bonding: modify only neigh_parms owned by us Greg Kroah-Hartman
2013-09-12 17:45 ` [ 05/23] fib_trie: remove potential out of bound access Greg Kroah-Hartman
2013-09-12 17:45 ` [ 06/23] tcp: cubic: fix overflow error in bictcp_update() Greg Kroah-Hartman
2013-09-12 17:45 ` [ 07/23] tcp: cubic: fix bug in bictcp_acked() Greg Kroah-Hartman
2013-09-12 17:45 ` [ 08/23] ipv6: dont stop backtracking in fib6_lookup_1 if subtree does not match Greg Kroah-Hartman
2013-09-12 17:45 ` [ 09/23] 8139cp: Fix skb leak in rx_status_loop failure path Greg Kroah-Hartman
2013-09-12 17:45 ` Greg Kroah-Hartman [this message]
2013-09-12 17:45 ` [ 11/23] ipv6: remove max_addresses check from ipv6_create_tempaddr Greg Kroah-Hartman
2013-09-12 17:45 ` [ 12/23] ipv6: drop packets with multiple fragmentation headers Greg Kroah-Hartman
2013-09-12 17:45 ` [ 13/23] ipv6: Dont depend on per socket memory for neighbour discovery messages Greg Kroah-Hartman
2013-09-12 17:45 ` [ 14/23] net: bridge: convert MLDv2 Query MRC into msecs_to_jiffies for max_delay Greg Kroah-Hartman
2013-09-12 17:45 ` [ 15/23] ICMPv6: treat dest unreachable codes 5 and 6 as EACCES, not EPROTO Greg Kroah-Hartman
2013-09-12 17:45 ` [ 16/23] net: ipv6: tcp: fix potential use after free in tcp_v6_do_rcv Greg Kroah-Hartman
2013-09-12 17:45 ` [ 17/23] vhost: zerocopy: poll vq in zerocopy callback Greg Kroah-Hartman
2013-09-12 17:45 ` [ 18/23] macvtap: do not zerocopy if iov needs more pages than MAX_SKB_FRAGS Greg Kroah-Hartman
2013-09-12 17:45 ` [ 19/23] tipc: fix lockdep warning during bearer initialization Greg Kroah-Hartman
2013-09-12 17:45 ` [ 20/23] m32r: consistently use "suffix-$(...)" Greg Kroah-Hartman
2013-09-12 17:45 ` [ 21/23] m32r: add memcpy() for CONFIG_KERNEL_GZIP=y Greg Kroah-Hartman
2013-09-12 17:45 ` [ 22/23] m32r: make memset() global for CONFIG_KERNEL_BZIP2=y Greg Kroah-Hartman
2013-09-12 17:45 ` [ 23/23] Revert "KVM: X86 emulator: fix source operand decoding for 8bit mov[zs]x instructions" Greg Kroah-Hartman
2013-09-13 23:02 ` [ 00/23] 3.4.62-stable review Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130912174452.868503548@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=dan.carpenter@oracle.com \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=mst@redhat.com \
--cc=nhorman@tuxdriver.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.