| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20090129.171524.41361209.davem@davemloft.net> Date: Thu, 29 Jan 2009 17:15:24 -0800 (PST) From: David Miller <davem@...emloft.net> To: steve@...gwyn.com Cc: roel.kluin@...il.com, christine.caulfield@...glemail.com, linux-decnet-user@...ts.sourceforge.net, netdev@...r.kernel.org Subject: Re: [PATCH] decnet: incorrect optlen size From: steve@...gwyn.com Date: Thu, 29 Jan 2009 08:58:58 +0000 > On Thu, Jan 29, 2009 at 09:21:15AM +0100, Roel Kluin wrote: > > @@ -1359,10 +1359,10 @@ static int __dn_setsockopt(struct socket *sock, int level,int optname, char __us > > if (optlen && !optval) > > return -EINVAL; > > > > - if (optlen > sizeof(u)) > > + if (optlen < sizeof(u)) > > return -EINVAL; > > > I don't see that this makes sense... we want to ensure that the passed > length is less than the size of the union which we are going to use > as a buffer. > > > - if (copy_from_user(&u, optval, optlen)) > > + if (copy_from_user(&u, optval, sizeof(u))) > > return -EFAULT; > > > ... and here we only want to copy the amount of data that has actually > been supplied, not the whole buffer size since in many cases the > amount of data is less than the total buffer size. This code is fine as-is, every single case statement below this code makes an explicit optlen equality check before deferencing any member of the union object we copy into. I'm therefore dropping this patch. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists