[PATCH] : Fix check for underflow

http://bugme.osdl.org/show_bug.cgi?id=4279 Summary: When I try to start vpnc the net/core/skbuff.c:91 crash This check is wrong, gcc optimizes it away: if ((len -= sizeof(pi)) > len) return -EINVAL; This could be responsible for the BUG. If len is 2 or 3 and TUN_NO_PI isn't set it underflows. alloc_skb() allocates len + 2, which is 0 or 1 byte. skb_reserve tries to reserve 2 bytes and things explode in skb_put. [TUN]: Fix check for underflow Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Chris Wright <chrisw@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

[PATCH] : Fix check for underflow
http://bugme.osdl.org/show_bug.cgi?id=4279 Summary: When I try to start vpnc the net/core/skbuff.c:91 crash This check is wrong, gcc optimizes it away: if ((len -= sizeof(pi)) > len) return -EINVAL; This could be responsible for the BUG. If len is 2 or 3 and TUN_NO_PI isn't set it underflows. alloc_skb() allocates len + 2, which is 0 or 1 byte. skb_reserve tries to reserve 2 bytes and things explode in skb_put. [TUN]: Fix check for underflow Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Chris Wright <chrisw@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
d37d0fb8 · Stephen Hemminger · Greg Kroah-Hartman · ad6be076 · d37d0fb8
Commit d37d0fb8 authored Mar 18, 2005 by Stephen Hemminger Committed by Greg Kroah-Hartman Mar 18, 2005
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 1 deletion

drivers/net/tun.c drivers/net/tun.c +1 -1

No files found.
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -229,7 +229,7 @@ static __inline__ ssize_t tun_get_user(struct tun_struct *tun, struct iovec *iv,
 	size_t len = count;

 	if (!(tun->flags & TUN_NO_PI)) {
-		if ((len -= sizeof(pi)) > len)
+		if ((len -= sizeof(pi)) > count)
 			return -EINVAL;

 		if(memcpy_fromiovec((void *)&pi, iv, sizeof(pi)))