forked from luck/tmp_suning_uos_patched
rds: fix an integer overflow test in rds_info_getsockopt()
"len" is a signed integer. We check that len is not negative, so it
goes from zero to INT_MAX. PAGE_SIZE is unsigned long so the comparison
is type promoted to unsigned long. ULONG_MAX - 4095 is a higher than
INT_MAX so the condition can never be true.
I don't know if this is harmful but it seems safe to limit "len" to
INT_MAX - 4095.
Fixes: a8c879a7ee
('RDS: Info and stats')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
parent
636dba8e12
commit
468b732b6f
|
@ -176,7 +176,7 @@ int rds_info_getsockopt(struct socket *sock, int optname, char __user *optval,
|
|||
|
||||
/* check for all kinds of wrapping and the like */
|
||||
start = (unsigned long)optval;
|
||||
if (len < 0 || len + PAGE_SIZE - 1 < len || start + len < start) {
|
||||
if (len < 0 || len > INT_MAX - PAGE_SIZE + 1 || start + len < start) {
|
||||
ret = -EINVAL;
|
||||
goto out;
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue
Block a user