| commit | f3a66bdc88c3261f55b942453476e623056b92d9 | |
| author | Dan Carpenter <dan.carpenter@oracle.com> | |
| Sat, 1 Aug 2015 12:33:26 +0000 (1 15:33 +0300) | ||
| committer | Ben Hutchings <ben@decadent.org.uk> | |
| Tue, 13 Oct 2015 02:46:02 +0000 (13 03:46 +0100) | ||
| tree | 63291c134355b22e3e6e28a677fbd73e15d1a64b | treesnapshot (tar.gz zip) |
| parent | 6e3ae6256145b5597bee0296eb5fc384cd86aa3d | commitdiff |
rds: fix an integer overflow test in rds_info_getsockopt()
commit 468b732b6f76b138c0926eadf38ac88467dcd271 upstream.
"len" is a signed integer. We check that len is not negative, so it
goes from zero to INT_MAX. PAGE_SIZE is unsigned long so the comparison
is type promoted to unsigned long. ULONG_MAX - 4095 is a higher than
INT_MAX so the condition can never be true.
I don't know if this is harmful but it seems safe to limit "len" to
INT_MAX - 4095.
Fixes: a8c879a7ee98 ('RDS: Info and stats')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 468b732b6f76b138c0926eadf38ac88467dcd271 upstream.
"len" is a signed integer. We check that len is not negative, so it
goes from zero to INT_MAX. PAGE_SIZE is unsigned long so the comparison
is type promoted to unsigned long. ULONG_MAX - 4095 is a higher than
INT_MAX so the condition can never be true.
I don't know if this is harmful but it seems safe to limit "len" to
INT_MAX - 4095.
Fixes: a8c879a7ee98 ('RDS: Info and stats')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
| net/rds/info.c | diffblobblamehistory |