| From 468b732b6f76b138c0926eadf38ac88467dcd271 Mon Sep 17 00:00:00 2001 |
| From: Dan Carpenter <dan.carpenter@oracle.com> |
| Date: Sat, 1 Aug 2015 15:33:26 +0300 |
| Subject: rds: fix an integer overflow test in rds_info_getsockopt() |
| |
| commit 468b732b6f76b138c0926eadf38ac88467dcd271 upstream. |
| |
| "len" is a signed integer. We check that len is not negative, so it |
| goes from zero to INT_MAX. PAGE_SIZE is unsigned long so the comparison |
| is type promoted to unsigned long. ULONG_MAX - 4095 is a higher than |
| INT_MAX so the condition can never be true. |
| |
| I don't know if this is harmful but it seems safe to limit "len" to |
| INT_MAX - 4095. |
| |
| Fixes: a8c879a7ee98 ('RDS: Info and stats') |
| Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Zefan Li <lizefan@huawei.com> |
| --- |
| net/rds/info.c | 2 +- |
| 1 file changed, 1 insertion(+), 1 deletion(-) |
| |
| --- a/net/rds/info.c |
| +++ b/net/rds/info.c |
| @@ -176,7 +176,7 @@ int rds_info_getsockopt(struct socket *s |
| |
| /* check for all kinds of wrapping and the like */ |
| start = (unsigned long)optval; |
| - if (len < 0 || len + PAGE_SIZE - 1 < len || start + len < start) { |
| + if (len < 0 || len > INT_MAX - PAGE_SIZE + 1 || start + len < start) { |
| ret = -EINVAL; |
| goto out; |
| } |