[Top] [All Lists]

Re: some bluetooth fixes

To: Marcel Holtmann <marcel@xxxxxxxxxxxx>
Subject: Re: some bluetooth fixes
From: Andi Kleen <ak@xxxxxxx>
Date: Sun, 15 Feb 2004 00:25:13 +0100
Cc: bluez-devel@xxxxxxxxxxxxxxxxxxxxx, netdev@xxxxxxxxxxx, viro@xxxxxxxxxxxxxxxxxx
In-reply-to: <1076525743.2792.1.camel@pegasus>
References: <20040206050042.20a2b3b0.ak@xxxxxxx> <1076079512.2806.40.camel@pegasus> <20040207032428.56ffbebc.ak@xxxxxxx> <1076152411.14418.73.camel@pegasus> <20040207125723.391a1fcd.ak@xxxxxxx> <1076173068.2670.4.camel@pegasus> <20040207172436.GB449@xxxxxxxxxxxxx> <1076525743.2792.1.camel@pegasus>
Sender: netdev-bounce@xxxxxxxxxxx
On Wed, 11 Feb 2004 19:55:43 +0100
Marcel Holtmann <marcel@xxxxxxxxxxxx> wrote:

> Hi Andi,
> > Doing size checks after the multiply is too late - they could
> > have already overflowed. You have to check the raw value from the user.
> new patch is attached.

+       if (req.conn_num * sizeof(*ci) > PAGE_SIZE * 2)
+               return -EINVAL;

This can still overflow. It should be 

        if (req.conn_num > (PAGE_SIZE * 2)/sizeof(*ci))
                return -EINVAL


<Prev in Thread] Current Thread [Next in Thread>