From patchwork Tue Dec 27 19:43:19 2011 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Xi Wang X-Patchwork-Id: 133353 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id AAD88B6F68 for ; Wed, 28 Dec 2011 06:45:28 +1100 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753441Ab1L0TpK (ORCPT ); Tue, 27 Dec 2011 14:45:10 -0500 Received: from mail-qy0-f174.google.com ([209.85.216.174]:62434 "EHLO mail-qy0-f174.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753133Ab1L0TpI (ORCPT ); Tue, 27 Dec 2011 14:45:08 -0500 Received: by qcqz2 with SMTP id z2so7076090qcq.19 for ; Tue, 27 Dec 2011 11:45:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=from:to:cc:subject:date:message-id:x-mailer; bh=azHqk73iiiG6PolA/2JaTzEqE1Sd8BJcYAfDhE6pyEY=; b=n03pvrqWtrvQ+5aq8wO8R7hyI85+2jdFmYw/nw7MX28Dla7jYRNJSK1W2bfF7M3Lfb Jw/aKrwYBpi9YMGECi10CHZDIe9ooZXjo7XDqNvArNnzysnOpioLkhxQmUPyd3lzDaA3 LbrJ8Ecr/f4gnUSx76huaSO0zlj/FxDa9xrz8= Received: by 10.229.78.143 with SMTP id l15mr10834731qck.84.1325015107690; Tue, 27 Dec 2011 11:45:07 -0800 (PST) Received: from localhost.localdomain (hchen.csail.mit.edu. [18.26.5.5]) by mx.google.com with ESMTPS id dj9sm52919950qab.18.2011.12.27.11.45.04 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 27 Dec 2011 11:45:05 -0800 (PST) From: Xi Wang To: linux-hams@vger.kernel.org Cc: "David S. Miller" , netdev@vger.kernel.org, Xi Wang , Ralf Baechle Subject: [PATCH -next] ax25: avoid overflows in ax25_setsockopt() Date: Tue, 27 Dec 2011 14:43:19 -0500 Message-Id: <1325014999-28931-1-git-send-email-xi.wang@gmail.com> X-Mailer: git-send-email 1.7.5.4 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Commit be639ac6 ("NET: AX.25: Check ioctl arguments to avoid overflows further down the road") rejects very large arguments, but doesn't completely fix overflows on 64-bit systems. Consider the AX25_T2 case. int opt; ... if (opt < 1 || opt > ULONG_MAX / HZ) { res = -EINVAL; break; } ax25->t2 = opt * HZ; The 32-bit multiplication opt * HZ would overflow before being assigned to 64-bit ax25->t2. This patch changes "opt" to unsigned long. Signed-off-by: Xi Wang Cc: Ralf Baechle --- net/ax25/af_ax25.c | 11 ++++++----- 1 files changed, 6 insertions(+), 5 deletions(-) diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c index b863c18..3cd0a0d 100644 --- a/net/ax25/af_ax25.c +++ b/net/ax25/af_ax25.c @@ -545,15 +545,16 @@ static int ax25_setsockopt(struct socket *sock, int level, int optname, ax25_cb *ax25; struct net_device *dev; char devname[IFNAMSIZ]; - int opt, res = 0; + unsigned long opt; + int res = 0; if (level != SOL_AX25) return -ENOPROTOOPT; - if (optlen < sizeof(int)) + if (optlen < sizeof(unsigned int)) return -EINVAL; - if (get_user(opt, (int __user *)optval)) + if (get_user(opt, (unsigned int __user *)optval)) return -EFAULT; lock_sock(sk); @@ -609,7 +610,7 @@ static int ax25_setsockopt(struct socket *sock, int level, int optname, break; case AX25_IDLE: - if (opt < 0 || opt > ULONG_MAX / (60 * HZ)) { + if (opt > ULONG_MAX / (60 * HZ)) { res = -EINVAL; break; } @@ -617,7 +618,7 @@ static int ax25_setsockopt(struct socket *sock, int level, int optname, break; case AX25_BACKOFF: - if (opt < 0 || opt > 2) { + if (opt > 2) { res = -EINVAL; break; }