[PATCH net-next-2.6 ] Fix overflow of socket buffer in sunrpc
From: Mitsuo Hayasaka
Date: Thu Sep 01 2011 - 23:36:56 EST
The sk_sndbuf and sk_rcvbuf fields of struct sock are sizes of send and
receive socket buffers respectively, and are defined as integer.
The sunrpc which is used in NFSD and any other applications can change them
via svc_sock_setbufsize(). It, however, sets them as unsigned integer and
may cause overflow of integer. This leads to a degradation of networking
capability.
This patch adds integer-overflow check into svc_sock_setbufsize() before
both fields are set, and limits their maximum sizes to INT_MAX.
Signed-off-by: Mitsuo Hayasaka <mitsuo.hayasaka.hu@xxxxxxxxxxx>
Cc: Trond Myklebust <Trond.Myklebust@xxxxxxxxxx>
Cc: "J. Bruce Fields" <bfields@xxxxxxxxxxxx>
Cc: Neil Brown <neilb@xxxxxxx>
Cc: "David S. Miller" <davem@xxxxxxxxxxxxx>
---
net/sunrpc/svcsock.c | 6 ++++++
1 files changed, 6 insertions(+), 0 deletions(-)
diff --git a/net/sunrpc/svcsock.c b/net/sunrpc/svcsock.c
index 767d494..bd66775 100644
--- a/net/sunrpc/svcsock.c
+++ b/net/sunrpc/svcsock.c
@@ -54,6 +54,7 @@
#include "sunrpc.h"
#define RPCDBG_FACILITY RPCDBG_SVCXPRT
+#define MAX_SKBUFSIZ INT_MAX
static struct svc_sock *svc_setup_socket(struct svc_serv *, struct socket *,
@@ -435,6 +436,11 @@ static void svc_sock_setbufsize(struct socket *sock, unsigned int snd,
* on not having CAP_SYS_RESOURCE or similar, we go direct...
* DaveM said I could!
*/
+ if (snd > MAX_SKBUFSIZ/2)
+ snd = MAX_SKBUFSIZ/2;
+ if (rcv > MAX_SKBUFSIZ/2)
+ rcv = MAX_SKBUFSIZ/2;
+
lock_sock(sock->sk);
sock->sk->sk_sndbuf = snd * 2;
sock->sk->sk_rcvbuf = rcv * 2;
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/