From patchwork Wed Nov 23 04:28:24 2011 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Xi Wang X-Patchwork-Id: 127209 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 65DDB1007D2 for ; Wed, 23 Nov 2011 15:28:59 +1100 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756403Ab1KWE2a (ORCPT ); Tue, 22 Nov 2011 23:28:30 -0500 Received: from mail-yx0-f174.google.com ([209.85.213.174]:35384 "EHLO mail-yx0-f174.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752739Ab1KWE23 convert rfc822-to-8bit (ORCPT ); Tue, 22 Nov 2011 23:28:29 -0500 Received: by yenq3 with SMTP id q3so982973yen.19 for ; Tue, 22 Nov 2011 20:28:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=from:content-type:content-transfer-encoding:subject:date:message-id :cc:to:mime-version:x-mailer; bh=jRlcUqIHZGilQy0WW1L18e9DGi2kwoOopXAd6kQkML8=; b=RCqg8d3QopFeh4i0ZaFg0ovJwhuM6jQEyB47pVE8Lzoe9caMbwoYjZoIhq/hvlWz52 PuRplTAci85GiMEibxh92nGXgwAp9vTqeRM2tQ0iPyYLjokhXDC3TBkHxEyPQjAc31sx KQeEKIZ1oi9Kqa5ro35P0RttuDZSUm4KUkhuk= Received: by 10.236.116.9 with SMTP id f9mr32284306yhh.0.1322022508594; Tue, 22 Nov 2011 20:28:28 -0800 (PST) Received: from vpn-18-101-16-236.mit.edu (VPN-18-101-16-236.MIT.EDU. [18.101.16.236]) by mx.google.com with ESMTPS id h45sm23008996yhm.15.2011.11.22.20.28.26 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 22 Nov 2011 20:28:27 -0800 (PST) From: Xi Wang Subject: [PATCH 1/2] ax25: integer overflows in ax25_setsockopt() Date: Tue, 22 Nov 2011 23:28:24 -0500 Message-Id: <7187C142-99F1-4A96-9BE6-650B10C9B22D@gmail.com> Cc: Joerg Reuter , Ralf Baechle , David Miller , linux-hams@vger.kernel.org, netdev@vger.kernel.org To: linux-kernel@vger.kernel.org Mime-Version: 1.0 (Apple Message framework v1084) X-Mailer: Apple Mail (2.1084) Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org ax25_setsockopt() misses several upper-bound checks on the user-controlled value. Reported-by: Fan Long Signed-off-by: Xi Wang --- net/ax25/af_ax25.c | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c index e7c69f4..be6a8cf 100644 --- a/net/ax25/af_ax25.c +++ b/net/ax25/af_ax25.c @@ -571,7 +571,7 @@ static int ax25_setsockopt(struct socket *sock, int level, int optname, break; case AX25_T1: - if (opt < 1) { + if (opt < 1 || opt > 30) { res = -EINVAL; break; } @@ -580,7 +580,7 @@ static int ax25_setsockopt(struct socket *sock, int level, int optname, break; case AX25_T2: - if (opt < 1) { + if (opt < 1 || opt > 20) { res = -EINVAL; break; } @@ -596,7 +596,7 @@ static int ax25_setsockopt(struct socket *sock, int level, int optname, break; case AX25_T3: - if (opt < 1) { + if (opt < 0 || opt > 3600) { res = -EINVAL; break; } @@ -604,7 +604,7 @@ static int ax25_setsockopt(struct socket *sock, int level, int optname, break; case AX25_IDLE: - if (opt < 0) { + if (opt < 0 || opt > 65535) { res = -EINVAL; break; }