Commit 536a16fe authored by Arjan van de Ven's avatar Arjan van de Ven Committed by Greg Kroah-Hartman

net ax25: Fix signed comparison in the sockopt handler

fixed upstream in commit b7058842 in a different way

The ax25 code tried to use

        if (optlen < sizeof(int))
                return -EINVAL;

as a security check against optlen being negative (or zero) in the
set socket option.

Unfortunately, "sizeof(int)" is an unsigned property, with the
result that the whole comparison is done in unsigned, letting
negative values slip through.

This patch changes this to

        if (optlen < (int)sizeof(int))
                return -EINVAL;

so that the comparison is done as signed, and negative values
get properly caught.
Signed-off-by: default avatarArjan van de Ven <arjan@linux.intel.com>
Cc: David S. Miller <davem@davemloft.net>
Cc: Ingo Molnar <mingo@elte.hu>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
parent 7e7f56f9
...@@ -538,7 +538,7 @@ static int ax25_setsockopt(struct socket *sock, int level, int optname, ...@@ -538,7 +538,7 @@ static int ax25_setsockopt(struct socket *sock, int level, int optname,
if (level != SOL_AX25) if (level != SOL_AX25)
return -ENOPROTOOPT; return -ENOPROTOOPT;
if (optlen < sizeof(int)) if (optlen < (int)sizeof(int))
return -EINVAL; return -EINVAL;
if (get_user(opt, (int __user *)optval)) if (get_user(opt, (int __user *)optval))
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment