From: shemminger@osdl.org <shemminger@osdl.org>
Date: Sat, 19 Mar 2005 05:40:56 +0000 (-0800)
Subject: [PATCH] Fix check for underflow
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3b49c2ec41b65abfd7e4ca38119ef82790f2d49c;p=thirdparty%2Fkernel%2Fstable.git

[PATCH] Fix check for underflow

http://bugme.osdl.org/show_bug.cgi?id=4279
Summary: When I try to start vpnc the net/core/skbuff.c:91 crash

This check is wrong, gcc optimizes it away:

                if ((len -= sizeof(pi)) > len)
			return -EINVAL;

This could be responsible for the BUG. If len is 2 or 3 and TUN_NO_PI
isn't set it underflows. alloc_skb() allocates len + 2, which is 0 or
1 byte. skb_reserve tries to reserve 2 bytes and things explode in
skb_put.

[TUN]: Fix check for underflow

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Chris Wright <chrisw@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---

diff --git a/drivers/net/tun.c b/drivers/net/tun.c
index 420c9e26fd15f..42c4e806749e0 100644
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -229,7 +229,7 @@ static __inline__ ssize_t tun_get_user(struct tun_struct *tun, struct iovec *iv,
 	size_t len = count;
 
 	if (!(tun->flags & TUN_NO_PI)) {
-		if ((len -= sizeof(pi)) > len)
+		if ((len -= sizeof(pi)) > count)
 			return -EINVAL;
 
 		if(memcpy_fromiovec((void *)&pi, iv, sizeof(pi)))