[thirdparty/kernel/stable-queue.git] / releases / 3.0.96 / tun-signedness-bug-in-tun_get_user.patch

From ebc6bacdc6d7bcf3fcf074e0aa5dd2f2fb2ff70a Mon Sep 17 00:00:00 2001
From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Thu, 15 Aug 2013 15:52:57 +0300
Subject: tun: signedness bug in tun_get_user()

From: Dan Carpenter <dan.carpenter@oracle.com>

[ Upstream commit 15718ea0d844e4816dbd95d57a8a0e3e264ba90e ]

The recent fix d9bf5f1309 "tun: compare with 0 instead of total_len" is
not totally correct.  Because "len" and "sizeof()" are size_t type, that
means they are never less than zero.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/tun.c |    6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -614,8 +614,9 @@ static __inline__ ssize_t tun_get_user(s
 	int offset = 0;
 
 	if (!(tun->flags & TUN_NO_PI)) {
-		if ((len -= sizeof(pi)) > count)
+		if (len < sizeof(pi))
 			return -EINVAL;
+		len -= sizeof(pi);
 
 		if (memcpy_fromiovecend((void *)&pi, iv, 0, sizeof(pi)))
 			return -EFAULT;
@@ -623,8 +624,9 @@ static __inline__ ssize_t tun_get_user(s
 	}
 
 	if (tun->flags & TUN_VNET_HDR) {
-		if ((len -= tun->vnet_hdr_sz) > count)
+		if (len < tun->vnet_hdr_sz)
 			return -EINVAL;
+		len -= tun->vnet_hdr_sz;
 
 		if (memcpy_fromiovecend((void *)&gso, iv, offset, sizeof(gso)))
 			return -EFAULT;
Commit	Line	Data
3b059fd8 GKH	1	From ebc6bacdc6d7bcf3fcf074e0aa5dd2f2fb2ff70a Mon Sep 17 00:00:00 2001
	2	From: Dan Carpenter <dan.carpenter@oracle.com>
	3	Date: Thu, 15 Aug 2013 15:52:57 +0300
	4	Subject: tun: signedness bug in tun_get_user()
	5
	6	From: Dan Carpenter <dan.carpenter@oracle.com>
	7
	8	[ Upstream commit 15718ea0d844e4816dbd95d57a8a0e3e264ba90e ]
	9
	10	The recent fix d9bf5f1309 "tun: compare with 0 instead of total_len" is
	11	not totally correct. Because "len" and "sizeof()" are size_t type, that
	12	means they are never less than zero.
	13
	14	Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
	15	Acked-by: Michael S. Tsirkin <mst@redhat.com>
	16	Acked-by: Neil Horman <nhorman@tuxdriver.com>
	17	Signed-off-by: David S. Miller <davem@davemloft.net>
	18	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	19	---
	20	drivers/net/tun.c \| 6 ++++--
	21	1 file changed, 4 insertions(+), 2 deletions(-)
	22
	23	--- a/drivers/net/tun.c
	24	+++ b/drivers/net/tun.c
	25	@@ -614,8 +614,9 @@ static __inline__ ssize_t tun_get_user(s
	26	int offset = 0;
	27
	28	if (!(tun->flags & TUN_NO_PI)) {
	29	- if ((len -= sizeof(pi)) > count)
	30	+ if (len < sizeof(pi))
	31	return -EINVAL;
	32	+ len -= sizeof(pi);
	33
	34	if (memcpy_fromiovecend((void *)&pi, iv, 0, sizeof(pi)))
	35	return -EFAULT;
	36	@@ -623,8 +624,9 @@ static __inline__ ssize_t tun_get_user(s
	37	}
	38
	39	if (tun->flags & TUN_VNET_HDR) {
	40	- if ((len -= tun->vnet_hdr_sz) > count)
	41	+ if (len < tun->vnet_hdr_sz)
	42	return -EINVAL;
	43	+ len -= tun->vnet_hdr_sz;
	44
	45	if (memcpy_fromiovecend((void *)&gso, iv, offset, sizeof(gso)))
	46	return -EFAULT;