From patchwork Mon Oct 4 12:28:36 2010 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dan Carpenter X-Patchwork-Id: 66645 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id A7018B70CD for ; Mon, 4 Oct 2010 23:29:13 +1100 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755678Ab0JDM3G (ORCPT ); Mon, 4 Oct 2010 08:29:06 -0400 Received: from mail-ww0-f44.google.com ([74.125.82.44]:34112 "EHLO mail-ww0-f44.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755612Ab0JDM3E (ORCPT ); Mon, 4 Oct 2010 08:29:04 -0400 Received: by wwj40 with SMTP id 40so4015827wwj.1 for ; Mon, 04 Oct 2010 05:29:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:date:from:to:cc:subject :message-id:mime-version:content-type:content-disposition:user-agent; bh=5POJ8a+eEwlhoBwcMR7zKjoIxL5qAzY2zGkHuyOomFY=; b=QjVXpIScdAxQHPe3ryYLX8zNK7vVAkgjL4TS5zqdY31gs0ixeVvC+S86ZKMOfGru2n t/frrKcka7GxGch3guuYUnmq795q3DsvGdWSNg0aeDoMLDTRtwtftLg4qMAZH/lBw94n mEnJeKcS5GtwDYCF4B6Qkc/eqJpO1+YeQMzhA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=date:from:to:cc:subject:message-id:mime-version:content-type :content-disposition:user-agent; b=sNDICCIQY8OQXTJh9up4uKa3YstAESzmgSUyhPEKy/DqDugO6CUxMmFG+f2Z4cjw11 PA9dzvBe8T9sBsDF8O41i0DQO4F4pMROOGDpDDzcpte2G8RMWCx4jFu/BFFRcjhkitVj 4kM0rZvQv95qVPtIiVV0kOman5sS3Gg/b2zN8= Received: by 10.216.91.16 with SMTP id g16mr7574454wef.78.1286195342922; Mon, 04 Oct 2010 05:29:02 -0700 (PDT) Received: from bicker (h3f08.n1.ips.mtn.co.ug [41.210.191.8]) by mx.google.com with ESMTPS id k46sm2936384weq.10.2010.10.04.05.28.49 (version=TLSv1/SSLv3 cipher=RC4-MD5); Mon, 04 Oct 2010 05:28:56 -0700 (PDT) Date: Mon, 4 Oct 2010 14:28:36 +0200 From: Dan Carpenter To: Jamal Hadi Salim Cc: "David S. Miller" , Stephen Hemminger , Frans Pop , Changli Gao , netdev@vger.kernel.org, kernel-janitors@vger.kernel.org Subject: [patch] cls_u32: signedness bug Message-ID: <20101004122836.GB5692@bicker> MIME-Version: 1.0 Content-Disposition: inline User-Agent: Mutt/1.5.18 (2008-05-17) Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org skb_headroom() is unsigned so "skb_headroom(skb) + toff" is also unsigned and can't be less than zero. This test was added in 66d50d25: "u32: negative offset fix" It was supposed to fix a regression. Signed-off-by: Dan Carpenter --- Compile tested only. Please check. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/net/sched/cls_u32.c b/net/sched/cls_u32.c index 7416a5c..b0c2a82 100644 --- a/net/sched/cls_u32.c +++ b/net/sched/cls_u32.c @@ -137,7 +137,7 @@ next_knode: int toff = off + key->off + (off2 & key->offmask); __be32 *data, _data; - if (skb_headroom(skb) + toff < 0) + if (skb_headroom(skb) + toff > INT_MAX) goto out; data = skb_header_pointer(skb, toff, 4, &_data);