Minor net/core/sock.c security issue?

From: Chris Evans (chris@scary.beasts.org)
Date: Mon Jul 23 2001 - 17:24:19 EST


May be nothing, but it looks like SO_*BUF may have signedness issues (have
these been picked up by the Stanford tools and fixed in recent 2.4.x?)

    int val;
    case SO_SNDBUF:
      if (val > sysctl_wmem_max)
        val = sysctl_wmem_max;
      sk->sndbuf = max(val*2,2048);

If val is negative, then sk->sndbuf ends up negative. This is because the
arguments to max are passed as _unsigned_ ints. SO_RCVBUF has similar
issues. Maybe a nasty local user could use this to chew up memory?


To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

This archive was generated by hypermail 2b29 : Mon Jul 23 2001 - 21:00:17 EST