From: David Miller <davem@davemloft.net>
To: steve@chygwyn.com
Cc: roel.kluin@gmail.com, christine.caulfield@googlemail.com,
linux-decnet-user@lists.sourceforge.net, netdev@vger.kernel.org
Subject: Re: [PATCH] decnet: incorrect optlen size
Date: Thu, 29 Jan 2009 17:15:24 -0800 (PST) [thread overview]
Message-ID: <20090129.171524.41361209.davem@davemloft.net> (raw)
In-Reply-To: <20090129085858.GA14198@fogou.chygwyn.com>
From: steve@chygwyn.com
Date: Thu, 29 Jan 2009 08:58:58 +0000
> On Thu, Jan 29, 2009 at 09:21:15AM +0100, Roel Kluin wrote:
> > @@ -1359,10 +1359,10 @@ static int __dn_setsockopt(struct socket *sock, int level,int optname, char __us
> > if (optlen && !optval)
> > return -EINVAL;
> >
> > - if (optlen > sizeof(u))
> > + if (optlen < sizeof(u))
> > return -EINVAL;
> >
> I don't see that this makes sense... we want to ensure that the passed
> length is less than the size of the union which we are going to use
> as a buffer.
>
> > - if (copy_from_user(&u, optval, optlen))
> > + if (copy_from_user(&u, optval, sizeof(u)))
> > return -EFAULT;
> >
> ... and here we only want to copy the amount of data that has actually
> been supplied, not the whole buffer size since in many cases the
> amount of data is less than the total buffer size.
This code is fine as-is, every single case statement below
this code makes an explicit optlen equality check before
deferencing any member of the union object we copy into.
I'm therefore dropping this patch.
prev parent reply other threads:[~2009-01-30 1:15 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-01-29 8:21 [PATCH] decnet: incorrect optlen size Roel Kluin
2009-01-29 8:58 ` steve
2009-01-30 1:15 ` David Miller [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20090129.171524.41361209.davem@davemloft.net \
--to=davem@davemloft.net \
--cc=christine.caulfield@googlemail.com \
--cc=linux-decnet-user@lists.sourceforge.net \
--cc=netdev@vger.kernel.org \
--cc=roel.kluin@gmail.com \
--cc=steve@chygwyn.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).