* David Miller ([EMAIL PROTECTED]) wrote:
> From: YOSHIFUJI Hideaki / 吉藤英明 <[EMAIL PROTECTED]>
> Date: Fri, 09 Mar 2007 10:13:28 +0900 (JST)
>
> > Bug noticed by Chris Wright <[EMAIL PROTECTED]>.
> >
> > Signed-off-by: YOSHIFUJI Hideaki <[EMAIL PROTECTED]>
>
> Applied, thanks a lot.
Crud, I should have noticed this earlier. This has a problem, min_t(int)
means user supplied < 0 is a large copy_to_user (back to leaking memory
on arch's that don't protect < 0 copy_to_user like i386 does). Here's
a simple fix ontop of yoshifuji's two changes. Hope that's it ;-)
thanks,
-chris
--
From: Chris Wright <[EMAIL PROTECTED]>
Subject: [IPV6] fix ipv6_getsockopt_sticky copy_to_user leak
User supplied len < 0 can cause leak of kernel memory.
Use unsigned compare instead.
Signed-off-by: Chris Wright <[EMAIL PROTECTED]>
---
net/ipv6/ipv6_sockglue.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c
index a4f06ce..321287b 100644
--- a/net/ipv6/ipv6_sockglue.c
+++ b/net/ipv6/ipv6_sockglue.c
@@ -824,7 +824,7 @@ static int ipv6_getsockopt_sticky(struct sock *sk, struct
ipv6_txoptions *opt,
if (!hdr)
return 0;
- len = min_t(int, len, ipv6_optlen(hdr));
+ len = min_t(unsigned, len, ipv6_optlen(hdr));
if (copy_to_user(optval, hdr, len));
return -EFAULT;
return ipv6_optlen(hdr);
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
