| To: | Marcel Holtmann <marcel@xxxxxxxxxxxx> |
|---|---|
| Subject: | Re: some bluetooth fixes |
| From: | Andi Kleen <ak@xxxxxxx> |
| Date: | Sun, 15 Feb 2004 00:25:13 +0100 |
| Cc: | bluez-devel@xxxxxxxxxxxxxxxxxxxxx, netdev@xxxxxxxxxxx, viro@xxxxxxxxxxxxxxxxxx |
| In-reply-to: | <1076525743.2792.1.camel@pegasus> |
| References: | <20040206050042.20a2b3b0.ak@xxxxxxx> <1076079512.2806.40.camel@pegasus> <20040207032428.56ffbebc.ak@xxxxxxx> <1076152411.14418.73.camel@pegasus> <20040207125723.391a1fcd.ak@xxxxxxx> <1076173068.2670.4.camel@pegasus> <20040207172436.GB449@xxxxxxxxxxxxx> <1076525743.2792.1.camel@pegasus> |
| Sender: | netdev-bounce@xxxxxxxxxxx |
On Wed, 11 Feb 2004 19:55:43 +0100
Marcel Holtmann <marcel@xxxxxxxxxxxx> wrote:
> Hi Andi,
>
> > Doing size checks after the multiply is too late - they could
> > have already overflowed. You have to check the raw value from the user.
>
> new patch is attached.
+ if (req.conn_num * sizeof(*ci) > PAGE_SIZE * 2)
+ return -EINVAL;
This can still overflow. It should be
if (req.conn_num > (PAGE_SIZE * 2)/sizeof(*ci))
return -EINVAL
-Andi
|
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| ||
| Previous by Date: | Re: [PATCH] IPV6: clean-up ndisc printk's, David S. Miller |
|---|---|
| Next by Date: | Re: TProxy, 2.4 Kernel and NetFilter, KOVACS Krisztian |
| Previous by Thread: | Re: some bluetooth fixes, Marcel Holtmann |
| Next by Thread: | Re: some bluetooth fixes, Marcel Holtmann |
| Indexes: | [Date] [Thread] [Top] [All Lists] |