| Message ID | 028246D6-9024-4E43-93A1-25A87878CBBC@gmail.com |
|---|---|
| State | Accepted, archived |
| Delegated to: | David Miller |
| Headers | show |
From: Xi Wang <xi.wang@gmail.com> Date: Tue, 22 Nov 2011 20:55:30 -0500 > The previous commit 30c2235c is incomplete and cannot prevent integer > overflows. For example, when key_len is 0x80000000 (INT_MAX + 1), the > left-hand side of the check, (INT_MAX - key_len), which is unsigned, > becomes 0xffffffff (UINT_MAX) and bypasses the check. > > Signed-off-by: Xi Wang <xi.wang@gmail.com> Applied, but I had to apply your patch by hand because it was corrupted by your email client. Please fix this problem because I am not applying any other patch you've submitted which has this issue. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Sorry my bad. BTW it seems that the patch was not applied correctly either in the commit a5e5c374 --- it says "No differences found". Can you please apply the new patch v2? Thanks. - xi On Nov 29, 2011, at 1:19 AM, David Miller wrote: > > Applied, but I had to apply your patch by hand because it was > corrupted by your email client. > > Please fix this problem because I am not applying any other patch > you've submitted which has this issue. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
From: Xi Wang <xi.wang@gmail.com> Date: Tue, 29 Nov 2011 14:31:30 -0500 > a5e5c374 --- it says "No differences found". > > Can you please apply the new patch v2? Thanks. Sigh, probably a side effect of how your patch was corrupted and how I tried to fix it up by hand :-/ Ok, I'll apply v2, thanks. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/net/sctp/auth.c b/net/sctp/auth.c index 865e68f..989e0fd 100644 --- a/net/sctp/auth.c +++ b/net/sctp/auth.c @@ -82,7 +82,7 @@ static struct sctp_auth_bytes *sctp_auth_create_key(__u32 key_len, gfp_t gfp) struct sctp_auth_bytes *key; /* Verify that we are not going to overflow INT_MAX */ - if ((INT_MAX - key_len) < sizeof(struct sctp_auth_bytes)) + if (key_len > INT_MAX - sizeof(struct sctp_auth_bytes)) return NULL; /* Allocate the shared key */
The previous commit 30c2235c is incomplete and cannot prevent integer overflows. For example, when key_len is 0x80000000 (INT_MAX + 1), the left-hand side of the check, (INT_MAX - key_len), which is unsigned, becomes 0xffffffff (UINT_MAX) and bypasses the check. Signed-off-by: Xi Wang <xi.wang@gmail.com> --- net/sctp/auth.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)