From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org
Cc: Justin Forbes <jmforbes@linuxtx.org>,
Zwane Mwaikambo <zwane@arm.linux.org.uk>,
"Theodore Ts'o" <tytso@mit.edu>,
Randy Dunlap <rdunlap@xenotime.net>,
Dave Jones <davej@redhat.com>,
Chuck Wolber <chuckw@quantumlinux.com>,
Chris Wedgwood <reviews@ml.cw.f00f.org>,
Michael Krufky <mkrufky@linuxtv.org>,
Chuck Ebbert <cebbert@redhat.com>,
torvalds@linux-foundation.org, akpm@linux-foundation.org,
alan@lxorguk.ukuu.org.uk, bunk@stusta.de,
YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>,
Sridhar Samudrala <sri@us.ibm.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [patch 15/31] Fix length validation in rawv6_sendmsg()
Date: Wed, 11 Apr 2007 15:52:07 -0700 [thread overview]
Message-ID: <20070411225207.GP24814@kroah.com> (raw)
In-Reply-To: <20070411225100.GA24814@kroah.com>
[-- Attachment #1: fix-length-validation-in-rawv6_sendmsg.patch --]
[-- Type: text/plain, Size: 2073 bytes --]
-stable review patch. If anyone has any objections, please let us know.
------------------
From: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
[IPv6]: Fix incorrect length check in rawv6_sendmsg()
In article <20070329.142644.70222545.davem@davemloft.net> (at Thu, 29 Mar 2007 14:26:44 -0700 (PDT)), David Miller <davem@davemloft.net> says:
> From: Sridhar Samudrala <sri@us.ibm.com>
> Date: Thu, 29 Mar 2007 14:17:28 -0700
>
> > The check for length in rawv6_sendmsg() is incorrect.
> > As len is an unsigned int, (len < 0) will never be TRUE.
> > I think checking for IPV6_MAXPLEN(65535) is better.
> >
> > Is it possible to send ipv6 jumbo packets using raw
> > sockets? If so, we can remove this check.
>
> I don't see why such a limitation against jumbo would exist,
> does anyone else?
>
> Thanks for catching this Sridhar. A good compiler should simply
> fail to compile "if (x < 0)" when 'x' is an unsigned type, don't
> you think :-)
Dave, we use "int" for returning value,
so we should fix this anyway, IMHO;
we should not allow len > INT_MAX.
Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Acked-by: Sridhar Samudrala <sri@us.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
net/ipv6/raw.c | 4 ++--
net/ipv6/udp.c | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
--- a/net/ipv6/raw.c
+++ b/net/ipv6/raw.c
@@ -688,9 +688,9 @@ static int rawv6_sendmsg(struct kiocb *i
int err;
/* Rough check on arithmetic overflow,
- better check is made in ip6_build_xmit
+ better check is made in ip6_append_data().
*/
- if (len < 0)
+ if (len > INT_MAX)
return -EMSGSIZE;
/* Mirror BSD error message compatibility */
--- a/net/ipv6/udp.c
+++ b/net/ipv6/udp.c
@@ -616,7 +616,7 @@ do_udp_sendmsg:
return udp_sendmsg(iocb, sk, msg, len);
/* Rough check on arithmetic overflow,
- better check is made in ip6_build_xmit
+ better check is made in ip6_append_data().
*/
if (len > INT_MAX - sizeof(struct udphdr))
return -EMSGSIZE;
--
next prev parent reply other threads:[~2007-04-11 22:55 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20070411224329.866978349@mini.kroah.org>
2007-04-11 22:51 ` [patch 00/31] [00/@num@] -stable review Greg KH
2007-04-11 22:51 ` [patch 01/31] kbuild: fix dependency generation Greg KH
2007-04-11 22:51 ` [patch 02/31] i386: fix file_read_actor() and pipe_read() for original i386 systems Greg KH
2007-04-11 22:51 ` [patch 03/31] sky2: reliable recovery Greg KH
2007-04-11 22:51 ` [patch 04/31] skge: turn carrier off when down Greg KH
2007-04-11 22:51 ` [patch 05/31] sky2: " Greg KH
2007-04-11 22:51 ` [patch 06/31] sky2: turn on clocks when doing resume Greg KH
2007-04-11 22:51 ` [patch 07/31] sky2: phy workarounds for Yukon EC-U A1 Greg KH
2007-04-11 22:51 ` [patch 08/31] DVB: tda10086: fix DiSEqC message length Greg KH
2007-04-11 22:51 ` [patch 09/31] DVB: pluto2: fix incorrect TSCR register setting Greg KH
2007-04-11 22:51 ` [patch 10/31] HID: Do not discard truncated input reports Greg KH
2007-04-11 22:51 ` [patch 11/31] Fix calculation for size of filemap_attr array in md/bitmap Greg KH
2007-04-11 22:51 ` [patch 12/31] 8139too: RTNL and flush_scheduled_work deadlock Greg KH
2007-04-11 22:51 ` [patch 13/31] NETFILTER: ipt_CLUSTERIP: fix oops in checkentry function Greg KH
2007-04-11 22:52 ` [patch 14/31] Fix IFB net driver input device crashes Greg KH
2007-04-11 22:52 ` Greg KH [this message]
2007-04-11 22:52 ` [patch 16/31] Fix scsi sense handling Greg KH
2007-04-11 22:52 ` [patch 17/31] Fix TCP receiver side SWS handling Greg KH
2007-04-11 22:52 ` [patch 18/31] Fix IPSEC replay window handling Greg KH
2007-04-11 22:52 ` [patch 19/31] Fix tcindex classifier ABI borkage Greg KH
2007-04-11 22:52 ` [patch 20/31] Fix TCP slow_start_after_idle sysctl Greg KH
2007-04-11 22:52 ` [patch 21/31] ide: use correct IDE error recovery Greg KH
2007-04-11 22:52 ` [patch 22/31] knfsd: allow nfsd READDIR to return 64bit cookies Greg KH
2007-04-11 22:52 ` [patch 23/31] softmac: avoid assert in ieee80211softmac_wx_get_rate Greg KH
2007-04-11 22:52 ` [patch 24/31] libata bugfix: preserve LBA bit for HDIO_DRIVE_TASK Greg KH
2007-04-11 22:52 ` [patch 25/31] ahci.c: walkaround for SB600 SATA internal error issue Greg KH
2007-04-11 22:52 ` [patch 26/31] fix lba48 bug in libata fill_result_tf() Greg KH
2007-04-11 22:52 ` [patch 27/31] libata: Clear tf before doing request sense (take 3) Greg KH
2007-04-11 22:52 ` [patch 28/31] revert "retries in ext3_prepare_write() violate ordering requirements" Greg KH
2007-04-11 22:52 ` [patch 29/31] revert "retries in ext4_prepare_write() " Greg KH
2007-04-11 22:53 ` [patch 30/31] fix page leak during core dump Greg KH
2007-04-11 22:53 ` [patch 31/31] Update libata drive blacklist to the latest from 2.6.21 Greg KH
2007-04-12 6:14 ` [patch 00/31] [00/@num@] -stable review Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20070411225207.GP24814@kroah.com \
--to=gregkh@suse.de \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=bunk@stusta.de \
--cc=cebbert@redhat.com \
--cc=chuckw@quantumlinux.com \
--cc=davej@redhat.com \
--cc=davem@davemloft.net \
--cc=jmforbes@linuxtx.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mkrufky@linuxtv.org \
--cc=rdunlap@xenotime.net \
--cc=reviews@ml.cw.f00f.org \
--cc=sri@us.ibm.com \
--cc=stable@kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=tytso@mit.edu \
--cc=yoshfuji@linux-ipv6.org \
--cc=zwane@arm.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox