leandrof/linux
1
0
Fork 0
forked from Minki/linux
Code Issues Pull Requests Packages Projects Releases Wiki Activity

rds: Integer overflow in RDS cmsg handling

Browse Source 
In rds_cmsg_rdma_args(), the user-provided args->nr_local value is
restricted to less than UINT_MAX.  This seems to need a tighter upper
bound, since the calculation of total iov_size can overflow, resulting
in a small sock_kmalloc() allocation.  This would probably just result
in walking off the heap and crashing when calling rds_rdma_pages() with
a high count value.  If it somehow doesn't crash here, then memory
corruption could occur soon after.

Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Dan Rosenberg 2010-11-17 06:37:16 +00:00 committed by David S. Miller
parent 7d98ffd8c2
commit 218854af84
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
net/rds/rdma.c
View File

@ -567,7 +567,7 @@ int rds_cmsg_rdma_args(struct rds_sock *rs, struct rds_message *rm,
goto out; goto out;
} }
if (args->nr_local > (u64)UINT_MAX) { if (args->nr_local > UIO_MAXIOV) {
ret = -EMSGSIZE; ret = -EMSGSIZE;
goto out; goto out;
} }