]>
Commit | Line | Data |
---|---|---|
0294f785 GKH |
1 | From arjan@infradead.org Thu Oct 1 11:19:55 2009 |
2 | From: Arjan van de Ven <arjan@infradead.org> | |
3 | Date: Wed, 30 Sep 2009 13:51:11 +0200 | |
4 | Subject: net ax25: Fix signed comparison in the sockopt handler | |
5 | To: davem@davemloft.net | |
6 | Cc: jakub@redhat.com, security@kernel.org, torvalds@linux-foundation.org, mingo@elte.hu, stable@kernel.org | |
7 | Message-ID: <20090930135111.64240d86@infradead.org> | |
8 | ||
9 | ||
10 | From: Arjan van de Ven <arjan@linux.intel.com> | |
11 | ||
12 | fixed upstream in commit b7058842c940ad2c08dd829b21e5c92ebe3b8758 in a different way | |
13 | ||
14 | The ax25 code tried to use | |
15 | ||
16 | if (optlen < sizeof(int)) | |
17 | return -EINVAL; | |
18 | ||
19 | as a security check against optlen being negative (or zero) in the | |
20 | set socket option. | |
21 | ||
22 | Unfortunately, "sizeof(int)" is an unsigned property, with the | |
23 | result that the whole comparison is done in unsigned, letting | |
24 | negative values slip through. | |
25 | ||
26 | This patch changes this to | |
27 | ||
28 | if (optlen < (int)sizeof(int)) | |
29 | return -EINVAL; | |
30 | ||
31 | so that the comparison is done as signed, and negative values | |
32 | get properly caught. | |
33 | ||
34 | Signed-off-by: Arjan van de Ven <arjan@linux.intel.com> | |
35 | Cc: David S. Miller <davem@davemloft.net> | |
36 | Cc: Ingo Molnar <mingo@elte.hu> | |
37 | Cc: Linus Torvalds <torvalds@linux-foundation.org> | |
38 | Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> | |
39 | ||
40 | --- | |
41 | net/ax25/af_ax25.c | 2 +- | |
42 | 1 file changed, 1 insertion(+), 1 deletion(-) | |
43 | ||
44 | --- a/net/ax25/af_ax25.c | |
45 | +++ b/net/ax25/af_ax25.c | |
46 | @@ -539,7 +539,7 @@ static int ax25_setsockopt(struct socket | |
47 | if (level != SOL_AX25) | |
48 | return -ENOPROTOOPT; | |
49 | ||
50 | - if (optlen < sizeof(int)) | |
51 | + if (optlen < (int)sizeof(int)) | |
52 | return -EINVAL; | |
53 | ||
54 | if (get_user(opt, (int __user *)optval)) |