Commit 468b732b authored Aug 01, 2015 by Dan Carpenter Committed by David S. Miller Aug 03, 2015

rds: fix an integer overflow test in rds_info_getsockopt()



"len" is a signed integer.  We check that len is not negative, so it
goes from zero to INT_MAX.  PAGE_SIZE is unsigned long so the comparison
is type promoted to unsigned long.  ULONG_MAX - 4095 is a higher than
INT_MAX so the condition can never be true.

I don't know if this is harmful but it seems safe to limit "len" to
INT_MAX - 4095.

Fixes: a8c879a7 ('RDS: Info and stats')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

parent 636dba8e

net/rds/info.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -176,7 +176,7 @@ int rds_info_getsockopt(struct socket sock, int optname, char __user optval,

		/* check for all kinds of wrapping and the like */
		start = (unsigned long)optval;
		if (len < 0 \|\| len + PAGE_SIZE - 1 < len \|\| start + len < start) {
		if (len < 0 \|\| len > INT_MAX - PAGE_SIZE + 1 \|\| start + len < start) {
		ret = -EINVAL;
		goto out;
		}