]>
Commit | Line | Data |
---|---|---|
3b059fd8 GKH |
1 | From ebc6bacdc6d7bcf3fcf074e0aa5dd2f2fb2ff70a Mon Sep 17 00:00:00 2001 |
2 | From: Dan Carpenter <dan.carpenter@oracle.com> | |
3 | Date: Thu, 15 Aug 2013 15:52:57 +0300 | |
4 | Subject: tun: signedness bug in tun_get_user() | |
5 | ||
6 | From: Dan Carpenter <dan.carpenter@oracle.com> | |
7 | ||
8 | [ Upstream commit 15718ea0d844e4816dbd95d57a8a0e3e264ba90e ] | |
9 | ||
10 | The recent fix d9bf5f1309 "tun: compare with 0 instead of total_len" is | |
11 | not totally correct. Because "len" and "sizeof()" are size_t type, that | |
12 | means they are never less than zero. | |
13 | ||
14 | Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> | |
15 | Acked-by: Michael S. Tsirkin <mst@redhat.com> | |
16 | Acked-by: Neil Horman <nhorman@tuxdriver.com> | |
17 | Signed-off-by: David S. Miller <davem@davemloft.net> | |
18 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | |
19 | --- | |
20 | drivers/net/tun.c | 6 ++++-- | |
21 | 1 file changed, 4 insertions(+), 2 deletions(-) | |
22 | ||
23 | --- a/drivers/net/tun.c | |
24 | +++ b/drivers/net/tun.c | |
25 | @@ -614,8 +614,9 @@ static __inline__ ssize_t tun_get_user(s | |
26 | int offset = 0; | |
27 | ||
28 | if (!(tun->flags & TUN_NO_PI)) { | |
29 | - if ((len -= sizeof(pi)) > count) | |
30 | + if (len < sizeof(pi)) | |
31 | return -EINVAL; | |
32 | + len -= sizeof(pi); | |
33 | ||
34 | if (memcpy_fromiovecend((void *)&pi, iv, 0, sizeof(pi))) | |
35 | return -EFAULT; | |
36 | @@ -623,8 +624,9 @@ static __inline__ ssize_t tun_get_user(s | |
37 | } | |
38 | ||
39 | if (tun->flags & TUN_VNET_HDR) { | |
40 | - if ((len -= tun->vnet_hdr_sz) > count) | |
41 | + if (len < tun->vnet_hdr_sz) | |
42 | return -EINVAL; | |
43 | + len -= tun->vnet_hdr_sz; | |
44 | ||
45 | if (memcpy_fromiovecend((void *)&gso, iv, offset, sizeof(gso))) | |
46 | return -EFAULT; |