Commit 4ad8ce65 authored by Dan Carpenter's avatar Dan Carpenter Committed by Willy Tarreau

rds: fix an integer overflow test in rds_info_getsockopt()

commit 468b732b upstream.

"len" is a signed integer.  We check that len is not negative, so it
goes from zero to INT_MAX.  PAGE_SIZE is unsigned long so the comparison
is type promoted to unsigned long.  ULONG_MAX - 4095 is a higher than
INT_MAX so the condition can never be true.

I don't know if this is harmful but it seems safe to limit "len" to
INT_MAX - 4095.

Fixes: a8c879a7 ('RDS: Info and stats')
Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
(cherry picked from commit f3a66bdc)
Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
parent 70397cf6
...@@ -174,7 +174,7 @@ int rds_info_getsockopt(struct socket *sock, int optname, char __user *optval, ...@@ -174,7 +174,7 @@ int rds_info_getsockopt(struct socket *sock, int optname, char __user *optval,
/* check for all kinds of wrapping and the like */ /* check for all kinds of wrapping and the like */
start = (unsigned long)optval; start = (unsigned long)optval;
if (len < 0 || len + PAGE_SIZE - 1 < len || start + len < start) { if (len < 0 || len > INT_MAX - PAGE_SIZE + 1 || start + len < start) {
ret = -EINVAL; ret = -EINVAL;
goto out; goto out;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment