This is a note to let you know that I've just added the patch titled
net/packet: fix overflow in check for tp_reserve
to the 3.18-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
net-packet-fix-overflow-in-check-for-tp_reserve.patch
and it can be found in the queue-3.18 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From foo@baz Sun Apr 30 15:50:51 CEST 2017
From: Andrey Konovalov <andreyknvl@xxxxxxxxxx>
Date: Wed, 29 Mar 2017 16:11:22 +0200
Subject: net/packet: fix overflow in check for tp_reserve
From: Andrey Konovalov <andreyknvl@xxxxxxxxxx>
[ Upstream commit bcc5364bdcfe131e6379363f089e7b4108d35b70 ]
When calculating po->tp_hdrlen + po->tp_reserve the result can overflow.
Fix by checking that tp_reserve <= INT_MAX on assign.
Signed-off-by: Andrey Konovalov <andreyknvl@xxxxxxxxxx>
Acked-by: Eric Dumazet <edumazet@xxxxxxxxxx>
Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
net/packet/af_packet.c | 2 ++
1 file changed, 2 insertions(+)
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -3314,6 +3314,8 @@ packet_setsockopt(struct socket *sock, i
return -EBUSY;
if (copy_from_user(&val, optval, sizeof(val)))
return -EFAULT;
+ if (val > INT_MAX)
+ return -EINVAL;
po->tp_reserve = val;
return 0;
}
Patches currently in stable-queue which might be from andreyknvl@xxxxxxxxxx are
queue-3.18/sctp-listen-on-the-sock-only-when-it-s-state-is-listening-or-closed.patch
queue-3.18/net-packet-fix-overflow-in-check-for-tp_frame_nr.patch
queue-3.18/net-packet-fix-overflow-in-check-for-tp_reserve.patch
queue-3.18/ip6mr-fix-notification-device-destruction.patch