On 3/28/07, Ian McDonald <ian.mcdonald@xxxxxxxxxxx> wrote:
On 3/29/07, Arnaldo Carvalho de Melo <acme@xxxxxxxxxxxxxxxxxx> wrote: > David, > > Please push for 2.6.21 and stable (CCed for good measure). > > - Arnaldo > > ----------------------------------- > > We were only checking if there was enough space to put the int, but left len as > specified by the (malicious) user, sigh, fix it by setting len to sizeof(val) and > transfering just one int worth of data, the one asked for. > > Also check for negative len values. > Part of the issue here is possibly that we are using signed ints here and the type from userspace is socklen_t which by my quick check is unsigned on my system. I haven't checked how this is defined on other architectures yet but if this is the case we should tidyup to remove other possible errors of this type. I'll look into this some more as time permits. Or am I talking through a whole in my head?
One way or the other we are safe now, no? - Arnaldo - To unsubscribe from this list: send the line "unsubscribe dccp" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
