diff options
author | Dan Rosenberg <drosenberg@vsecurity.com> | 2010-11-17 06:37:16 +0000 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2010-11-17 12:20:52 -0800 |
commit | 218854af84038d828a32f061858b1902ed2beec6 (patch) | |
tree | d5c688bc9856b3763e354619ff46ebe20edad891 /net | |
parent | 7d98ffd8c2d1da6cec5d84eba42c4aa836a93f85 (diff) | |
download | linux-3.10-218854af84038d828a32f061858b1902ed2beec6.tar.gz linux-3.10-218854af84038d828a32f061858b1902ed2beec6.tar.bz2 linux-3.10-218854af84038d828a32f061858b1902ed2beec6.zip |
rds: Integer overflow in RDS cmsg handling
In rds_cmsg_rdma_args(), the user-provided args->nr_local value is
restricted to less than UINT_MAX. This seems to need a tighter upper
bound, since the calculation of total iov_size can overflow, resulting
in a small sock_kmalloc() allocation. This would probably just result
in walking off the heap and crashing when calling rds_rdma_pages() with
a high count value. If it somehow doesn't crash here, then memory
corruption could occur soon after.
Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
-rw-r--r-- | net/rds/rdma.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/net/rds/rdma.c b/net/rds/rdma.c index 8920f2a8332..4e37c1cbe8b 100644 --- a/net/rds/rdma.c +++ b/net/rds/rdma.c @@ -567,7 +567,7 @@ int rds_cmsg_rdma_args(struct rds_sock *rs, struct rds_message *rm, goto out; } - if (args->nr_local > (u64)UINT_MAX) { + if (args->nr_local > UIO_MAXIOV) { ret = -EMSGSIZE; goto out; } |