diff mbox

[Precise,CVE-2015-2042,3/3] net: rds: use correct size for max unacked packets and bytes

Message ID 1426765109-28629-4-git-send-email-luis.henriques@canonical.com
State New
Headers show

Commit Message

Luis Henriques March 19, 2015, 11:38 a.m. UTC 
From: Sasha Levin <sasha.levin@oracle.com>

Max unacked packets/bytes is an int while sizeof(long) was used in the
sysctl table.

This means that when they were getting read we'd also leak kernel memory
to userspace along with the timeout values.

Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit db27ebb111e9f69efece08e4cb6a34ff980f8896)
CVE-2015-2042
BugLink: http://bugs.launchpad.net/bugs/1425274
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
 net/rds/sysctl.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
diff mbox

Patch

diff --git a/net/rds/sysctl.c b/net/rds/sysctl.c
index 25ad0c77a26c..065026f9a641 100644
--- a/net/rds/sysctl.c
+++ b/net/rds/sysctl.c
@@ -71,14 +71,14 @@  static ctl_table rds_sysctl_rds_table[] = {
 	{
 		.procname	= "max_unacked_packets",
 		.data		= &rds_sysctl_max_unacked_packets,
-		.maxlen         = sizeof(unsigned long),
+		.maxlen         = sizeof(int),
 		.mode           = 0644,
 		.proc_handler   = proc_dointvec,
 	},
 	{
 		.procname	= "max_unacked_bytes",
 		.data		= &rds_sysctl_max_unacked_bytes,
-		.maxlen         = sizeof(unsigned long),
+		.maxlen         = sizeof(int),
 		.mode           = 0644,
 		.proc_handler   = proc_dointvec,
 	},