]> git.karo-electronics.de Git - karo-tx-linux.git/commitdiff
rds: Integer overflow in RDS cmsg handling
authorDan Rosenberg <drosenberg@vsecurity.com>
Wed, 17 Nov 2010 06:37:16 +0000 (06:37 +0000)
committerGreg Kroah-Hartman <gregkh@suse.de>
Thu, 9 Dec 2010 21:27:12 +0000 (13:27 -0800)
commit 218854af84038d828a32f061858b1902ed2beec6 upstream.

In rds_cmsg_rdma_args(), the user-provided args->nr_local value is
restricted to less than UINT_MAX.  This seems to need a tighter upper
bound, since the calculation of total iov_size can overflow, resulting
in a small sock_kmalloc() allocation.  This would probably just result
in walking off the heap and crashing when calling rds_rdma_pages() with
a high count value.  If it somehow doesn't crash here, then memory
corruption could occur soon after.

Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
net/rds/rdma.c

index 8dc83d2caa58d02d7036ea697a5fac65f470b564..6b09b941d3a77b220d88f288844aa15b7efa3362 100644 (file)
@@ -447,7 +447,7 @@ static struct rds_rdma_op *rds_rdma_prepare(struct rds_sock *rs,
                goto out;
        }
 
-       if (args->nr_local > (u64)UINT_MAX) {
+       if (args->nr_local > UIO_MAXIOV) {
                ret = -EMSGSIZE;
                goto out;
        }