On 12/05/2013 07:23 PM, Jan Stancek wrote: > After following 2 kernel commits: > commit 1661bf364ae9c506bc8795fef70d1532931be1e8 > Author: Dan Carpenter <[email protected]> > Date: Thu Oct 3 00:27:20 2013 +0300 > net: heap overflow in __audit_sockaddr() > > commit db31c55a6fb245fdbb752a2ca4aefec89afabb06 > Author: Dan Carpenter <[email protected]> > Date: Wed Nov 27 15:40:21 2013 +0300 > net: clamp ->msg_namelen instead of returning an error > > msg_namelen is treated as an unsigned value because of this > condition, which compares signed and unsigned arguments: > net/socket.c copy_msghdr_from_user() > if (kmsg->msg_namelen > sizeof(struct sockaddr_storage)) > > User-space (accordding to POSIX spec) defines it as > "unsigned opaque integral type of length of at least 32 bits". > > Passing -1 now has the effect as passing very large number > and syscall completes successfully. > > Change the test to use invalid, but positive value for > "invalid to buffer length" testcase.
Nice log, thank you, pushed. Wanlong Gao ------------------------------------------------------------------------------ Sponsored by Intel(R) XDK Develop, test and display web and hybrid apps with a single code base. Download it for free now! http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk _______________________________________________ Ltp-list mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/ltp-list
