| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 23 Dec 2011 06:16:30 +0100 From: Eric Dumazet <eric.dumazet@...il.com> To: Xi Wang <xi.wang@...il.com> Cc: Tom Herbert <therbert@...gle.com>, "David S. Miller" <davem@...emloft.net>, netdev@...r.kernel.org Subject: Re: [PATCH v2] rps: fix insufficient bounds checking in store_rps_dev_flow_table_cnt() Le vendredi 23 décembre 2011 à 00:10 -0500, Xi Wang a écrit : > On Dec 22, 2011, at 11:53 PM, Eric Dumazet wrote: > > All I wanted to say is that while mixing INT_MAX/ULONG_MAX, you could > > have spotted the other bug in the code : > > > > unsigned int count; > > > > count = simple_strtoul(buf, &endp, 0); > > Are you suggesting to change the type of "count" to unsigned long? > That seems like a separate issue from the bounds checking part. > > I don't see the possible 32-bit truncation here is a serious issue though. > The user could even echo "128abc" into rps_flow_cnt and simple_strtoul() > would be happy to pick 128. > 32 bit truncation _is_ a bound checking problem too. Really, mixing INT_MAX / ULONG_MAX is ugly, this should had ring a bell when writing such hard to read code. You cannot claim to give more range to 64bit platform, yet not spotting the 32bit truncation issue. When fixing a bug, its always a good thing to look things around, and try to check the whole function. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists