Fix exploitable hole in sg_scsi_ioctl

in_len and out_len are signed quantites copied from user space but are only checked to see if they're > PAGE_SIZE. The exploit would be to pass in a negative quantity which would pass the check. Fix by making them unsigned. Signed-off-by: James Bottomley <James.Bottomley@SteelEye.com>

Fix exploitable hole in sg_scsi_ioctl
in_len and out_len are signed quantites copied from user space but are only checked to see if they're > PAGE_SIZE. The exploit would be to pass in a negative quantity which would pass the check. Fix by making them unsigned. Signed-off-by: James Bottomley <James.Bottomley@SteelEye.com>
4d67885a · James Bottomley · ed092cbc · 4d67885a
Commit 4d67885a authored Jan 07, 2005 by James Bottomley
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 1 deletion

drivers/block/scsi_ioctl.c drivers/block/scsi_ioctl.c +2 -1

No files found.
--- a/drivers/block/scsi_ioctl.c
+++ b/drivers/block/scsi_ioctl.c
@@ -339,7 +339,8 @@ static int sg_scsi_ioctl(struct file *file, request_queue_t *q,
 			 struct gendisk *bd_disk, Scsi_Ioctl_Command __user *sic)
 {
 	struct request *rq;
-	int err, in_len, out_len, bytes, opcode, cmdlen;
+	int err;
+	unsigned int in_len, out_len, bytes, opcode, cmdlen;
 	char *buffer = NULL, sense[SCSI_SENSE_BUFFERSIZE];

 	/*