| commit | 69273e33a6d22d73dd89e4a68d54a0af3bd0e460 | |
| author | Dan Rosenberg <drosenberg@vsecurity.com> | |
| Wed, 22 Dec 2010 13:58:27 +0000 (22 13:58 +0000) | ||
| committer | Greg Kroah-Hartman <gregkh@suse.de> | |
| Thu, 14 Apr 2011 23:53:14 +0000 (14 16:53 -0700) | ||
| tree | 3b2c9f129f71e0ff07b0732e0846c0ceb7ac7287 | treesnapshot (tar.gz zip) |
| parent | de00d49034d47ceaf4d44b6720b77deb40ca1692 | commitdiff |
irda: prevent integer underflow in IRLMP_ENUMDEVICES
commit fdac1e0697356ac212259f2147aa60c72e334861 upstream.
If the user-provided len is less than the expected offset, the
IRLMP_ENUMDEVICES getsockopt will do a copy_to_user() with a very large
size value. While this isn't be a security issue on x86 because it will
get caught by the access_ok() check, it may leak large amounts of kernel
heap on other architectures. In any event, this patch fixes it.
Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Cc: Moritz Muehlenhoff <jmm@debian.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
commit fdac1e0697356ac212259f2147aa60c72e334861 upstream.
If the user-provided len is less than the expected offset, the
IRLMP_ENUMDEVICES getsockopt will do a copy_to_user() with a very large
size value. While this isn't be a security issue on x86 because it will
get caught by the access_ok() check, it may leak large amounts of kernel
heap on other architectures. In any event, this patch fixes it.
Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Cc: Moritz Muehlenhoff <jmm@debian.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
| net/irda/af_irda.c | diffblobblamehistory |