From: Eric Dumazet <[email protected]> ===================================================================== | This is a commit scheduled for the next v2.6.34 longterm release. | | If you see a problem with using this for longterm, please comment.| =====================================================================
commit 27b3d80a7b6adcf069b5e869e4efcc3a79f88a91 upstream. When proc_doulongvec_minmax() is used with an array of longs, and no min/max check requested (.extra1 or .extra2 being NULL), we dereference a NULL pointer for the second element of the array. Noticed while doing some changes in network stack for the "16TB problem" Fix is to not change min & max pointers in __do_proc_doulongvec_minmax(), so that all elements of the vector share an unique min/max limit, like proc_dointvec_minmax(). [[email protected]: coding-style fixes] Signed-off-by: Eric Dumazet <[email protected]> Cc: "Eric W. Biederman" <[email protected]> Cc: Americo Wang <[email protected]> Signed-off-by: Andrew Morton <[email protected]> Signed-off-by: Linus Torvalds <[email protected]> Signed-off-by: Paul Gortmaker <[email protected]> --- kernel/sysctl.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/kernel/sysctl.c b/kernel/sysctl.c index 8686b0f..d2ceded 100644 --- a/kernel/sysctl.c +++ b/kernel/sysctl.c @@ -2314,7 +2314,7 @@ static int __do_proc_doulongvec_minmax(void *data, struct ctl_table *table, int vleft = table->maxlen / sizeof(unsigned long); left = *lenp; - for (; left && vleft--; i++, min++, max++, first=0) { + for (; left && vleft--; i++, first = 0) { if (write) { while (left) { char c; -- 1.7.4.4 _______________________________________________ stable mailing list [email protected] http://linux.kernel.org/mailman/listinfo/stable
