On Tuesday 2010-03-23 03:37, wzt wzt wrote: >> And, for the addition overflow, can it be caught by >> >> "if (*len != sizeof(struct ipt_get_entries) + get.size)" ??? > >sizeof(struct ipt_get_entries) + get.size can be overflow as *len, >get.size is control by user space with copy_from_user(). The != should catch it. For 64-bit environments: * + invoked with size_t, unsigned int => right side promoted to size_t, result type is size_t * != invoked with int and size_t => left-side promoted to ssize_t (probably; but something as large as size_t) * get.size is 32-bit bounded, as is *len, so no overflow to worry about at all unless you make sizeof(X) hilariously big close to 2^64 which is rather unlikely. For 32-bit environments: * Let *len be a number of choice (e.g. 36) * Find a sizeof(X)+get.size that equals 36 mod 2^32. * Since sizeof(X) is const, get.size must be 0 mod 2^32. * So get.size must be a multiple of 2^32 to fool the system. * Since get.size itself is only a 32-bit quantity, you cannot represent any value larger than 4294967295. What Was What Was Wanted. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html