[thirdparty/kernel/stable-queue.git] / releases / 2.6.27.36 / net-ax25-fix-signed-comparison-in-the-sockopt-handler.patch

From arjan@infradead.org  Thu Oct  1 11:19:55 2009
From: Arjan van de Ven <arjan@infradead.org>
Date: Wed, 30 Sep 2009 13:51:11 +0200
Subject: net ax25: Fix signed comparison in the sockopt handler
To: davem@davemloft.net
Cc: jakub@redhat.com, security@kernel.org, torvalds@linux-foundation.org, mingo@elte.hu, stable@kernel.org
Message-ID: <20090930135111.64240d86@infradead.org>


From: Arjan van de Ven <arjan@linux.intel.com>

fixed upstream in commit b7058842c940ad2c08dd829b21e5c92ebe3b8758 in a different way

The ax25 code tried to use

        if (optlen < sizeof(int))
                return -EINVAL;

as a security check against optlen being negative (or zero) in the
set socket option.

Unfortunately, "sizeof(int)" is an unsigned property, with the
result that the whole comparison is done in unsigned, letting
negative values slip through.

This patch changes this to

        if (optlen < (int)sizeof(int))
                return -EINVAL;

so that the comparison is done as signed, and negative values
get properly caught.

Signed-off-by: Arjan van de Ven <arjan@linux.intel.com>
Cc: David S. Miller <davem@davemloft.net>
Cc: Ingo Molnar <mingo@elte.hu>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

---
 net/ax25/af_ax25.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/ax25/af_ax25.c
+++ b/net/ax25/af_ax25.c
@@ -539,7 +539,7 @@ static int ax25_setsockopt(struct socket
 	if (level != SOL_AX25)
 		return -ENOPROTOOPT;
 
-	if (optlen < sizeof(int))
+	if (optlen < (int)sizeof(int))
 		return -EINVAL;
 
 	if (get_user(opt, (int __user *)optval))
Commit	Line	Data
0294f785 GKH	1	From arjan@infradead.org Thu Oct 1 11:19:55 2009
	2	From: Arjan van de Ven <arjan@infradead.org>
	3	Date: Wed, 30 Sep 2009 13:51:11 +0200
	4	Subject: net ax25: Fix signed comparison in the sockopt handler
	5	To: davem@davemloft.net
	6	Cc: jakub@redhat.com, security@kernel.org, torvalds@linux-foundation.org, mingo@elte.hu, stable@kernel.org
	7	Message-ID: <20090930135111.64240d86@infradead.org>
	8
	9
	10	From: Arjan van de Ven <arjan@linux.intel.com>
	11
	12	fixed upstream in commit b7058842c940ad2c08dd829b21e5c92ebe3b8758 in a different way
	13
	14	The ax25 code tried to use
	15
	16	if (optlen < sizeof(int))
	17	return -EINVAL;
	18
	19	as a security check against optlen being negative (or zero) in the
	20	set socket option.
	21
	22	Unfortunately, "sizeof(int)" is an unsigned property, with the
	23	result that the whole comparison is done in unsigned, letting
	24	negative values slip through.
	25
	26	This patch changes this to
	27
	28	if (optlen < (int)sizeof(int))
	29	return -EINVAL;
	30
	31	so that the comparison is done as signed, and negative values
	32	get properly caught.
	33
	34	Signed-off-by: Arjan van de Ven <arjan@linux.intel.com>
	35	Cc: David S. Miller <davem@davemloft.net>
	36	Cc: Ingo Molnar <mingo@elte.hu>
	37	Cc: Linus Torvalds <torvalds@linux-foundation.org>
	38	Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
	39
	40	---
	41	net/ax25/af_ax25.c \| 2 +-
	42	1 file changed, 1 insertion(+), 1 deletion(-)
	43
	44	--- a/net/ax25/af_ax25.c
	45	+++ b/net/ax25/af_ax25.c
	46	@@ -539,7 +539,7 @@ static int ax25_setsockopt(struct socket
	47	if (level != SOL_AX25)
	48	return -ENOPROTOOPT;
	49
	50	- if (optlen < sizeof(int))
	51	+ if (optlen < (int)sizeof(int))
	52	return -EINVAL;
	53
	54	if (get_user(opt, (int __user *)optval))