[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <gacp0q$drj$1@taverner.cs.berkeley.edu>
Date: Fri, 12 Sep 2008 03:51:54 +0000 (UTC)
From: daw@...berkeley.edu (David Wagner)
To: linux-kernel@...r.kernel.org
Subject: Re: [PATCH] netlink: fix overrun in attribute iteration
Vegard Nossum wrote:
> /**
> * nla_ok - check if the netlink attribute fits into the remaining bytes
> * @nla: netlink attribute
> * @remaining: number of bytes remaining in attribute stream
> */
> static inline int nla_ok(const struct nlattr *nla, int remaining)
> {
> return remaining >= sizeof(*nla) &&
> nla->nla_len >= sizeof(*nla) &&
> nla->nla_len <= remaining;
> }
If 'remaining' had been declared to be of type size_t, this would
not have happened.
Guideline for secure programming: length values (and counts of bytes)
should be declared as size_t, where possible.
This guideline eliminates many signed/unsigned bugs. If one also
carefully avoids overflow (wraparound), other integer overflow bugs
are avoided as well.
The code above violates the guideline so we shouldn't be terribly
surprised if it happens to contain signed/unsigned vulnerabilities.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists