2.6.36-stable review patch. If anyone has any objections, please let us know.
------------------ From: Dan Rosenberg <[email protected]> commit 218854af84038d828a32f061858b1902ed2beec6 upstream. In rds_cmsg_rdma_args(), the user-provided args->nr_local value is restricted to less than UINT_MAX. This seems to need a tighter upper bound, since the calculation of total iov_size can overflow, resulting in a small sock_kmalloc() allocation. This would probably just result in walking off the heap and crashing when calling rds_rdma_pages() with a high count value. If it somehow doesn't crash here, then memory corruption could occur soon after. Signed-off-by: Dan Rosenberg <[email protected]> Signed-off-by: David S. Miller <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]> --- net/rds/rdma.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/net/rds/rdma.c +++ b/net/rds/rdma.c @@ -474,7 +474,7 @@ static struct rds_rdma_op *rds_rdma_prep goto out; } - if (args->nr_local > (u64)UINT_MAX) { + if (args->nr_local > UIO_MAXIOV) { ret = -EMSGSIZE; goto out; } _______________________________________________ stable mailing list [email protected] http://linux.kernel.org/mailman/listinfo/stable
