From: Marcel Holtmann <marcel@holtmann.org>
Date: Sat, 26 Mar 2005 01:49:05 +0000 (-0800)
Subject: [PATCH] Fix signedness problem at socket creation
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ff8b1b95f7ed208ce29b7c1d9d33abbd7ca447d7;p=thirdparty%2Fkernel%2Fstable.git

[PATCH] Fix signedness problem at socket creation

CAN-2005-0750 is assigned to this issue

ilja <ilja@suresec.org> discovered potential local root exploit in
bluetooth socket creation.

This patch fixes a small signedness problem when creating the
socket.

Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Chris Wright <chrisw@osdl.org>
---

diff --git a/net/bluetooth/af_bluetooth.c b/net/bluetooth/af_bluetooth.c
index 8ff58bc2bf275..064641c96e832 100644
--- a/net/bluetooth/af_bluetooth.c
+++ b/net/bluetooth/af_bluetooth.c
@@ -64,7 +64,7 @@ static kmem_cache_t *bt_sock_cache;
 
 int bt_sock_register(int proto, struct net_proto_family *ops)
 {
-	if (proto >= BT_MAX_PROTO)
+	if (proto < 0 || proto >= BT_MAX_PROTO)
 		return -EINVAL;
 
 	if (bt_proto[proto])
@@ -77,7 +77,7 @@ EXPORT_SYMBOL(bt_sock_register);
 
 int bt_sock_unregister(int proto)
 {
-	if (proto >= BT_MAX_PROTO)
+	if (proto < 0 || proto >= BT_MAX_PROTO)
 		return -EINVAL;
 
 	if (!bt_proto[proto])
@@ -92,7 +92,7 @@ static int bt_sock_create(struct socket *sock, int proto)
 {
 	int err = 0;
 
-	if (proto >= BT_MAX_PROTO)
+	if (proto < 0 || proto >= BT_MAX_PROTO)
 		return -EINVAL;
 
 #if defined(CONFIG_KMOD)