From patchwork Fri Jan 6 18:44:15 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Santosh Shilimkar X-Patchwork-Id: 712086 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3twD4B0Wn7z9t1C for ; Sat, 7 Jan 2017 05:44:42 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1032742AbdAFSo2 (ORCPT ); Fri, 6 Jan 2017 13:44:28 -0500 Received: from aserp1040.oracle.com ([141.146.126.69]:18888 "EHLO aserp1040.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1032610AbdAFSoZ (ORCPT ); Fri, 6 Jan 2017 13:44:25 -0500 Received: from aserv0021.oracle.com (aserv0021.oracle.com [141.146.126.233]) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id v06IiM47017176 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Fri, 6 Jan 2017 18:44:22 GMT Received: from userv0121.oracle.com (userv0121.oracle.com [156.151.31.72]) by aserv0021.oracle.com (8.13.8/8.14.4) with ESMTP id v06IiLM4014615 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Fri, 6 Jan 2017 18:44:22 GMT Received: from abhmp0001.oracle.com (abhmp0001.oracle.com [141.146.116.7]) by userv0121.oracle.com (8.14.4/8.13.8) with ESMTP id v06IiK3H004035; Fri, 6 Jan 2017 18:44:21 GMT Received: from localhost.localdomain (/10.159.191.167) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Fri, 06 Jan 2017 10:44:20 -0800 From: Santosh Shilimkar To: netdev@vger.kernel.org, davem@davemloft.net Cc: linux-kernel@vger.kernel.org, Santosh Shilimkar Subject: [net-next][PATCH] RDS: validate the requested traces user input against max supported Date: Fri, 6 Jan 2017 10:44:15 -0800 Message-Id: <1483728255-9111-1-git-send-email-santosh.shilimkar@oracle.com> X-Mailer: git-send-email 1.9.1 X-Source-IP: aserv0021.oracle.com [141.146.126.233] Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Larger than supported value can lead to array read/write overflow. Reported-by: Colin Ian King Signed-off-by: Santosh Shilimkar --- net/rds/af_rds.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/rds/af_rds.c b/net/rds/af_rds.c index fd821740..b405f77 100644 --- a/net/rds/af_rds.c +++ b/net/rds/af_rds.c @@ -310,6 +310,9 @@ static int rds_recv_track_latency(struct rds_sock *rs, char __user *optval, if (copy_from_user(&trace, optval, sizeof(trace))) return -EFAULT; + if (trace.rx_traces > RDS_MSG_RX_DGRAM_TRACE_MAX) + return -EFAULT; + rs->rs_rx_traces = trace.rx_traces; for (i = 0; i < rs->rs_rx_traces; i++) { if (trace.rx_trace_pos[i] > RDS_MSG_RX_DGRAM_TRACE_MAX) {