This is a note to let you know that I've just added the patch titled
net/packet: fix overflow in check for tp_reserve
to the 4.4-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
net-packet-fix-overflow-in-check-for-tp_reserve.patch
and it can be found in the queue-4.4 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From foo@baz Sun Apr 30 15:46:17 CEST 2017
From: Andrey Konovalov <andreyknvl@xxxxxxxxxx>
Date: Wed, 29 Mar 2017 16:11:22 +0200
Subject: net/packet: fix overflow in check for tp_reserve
From: Andrey Konovalov <andreyknvl@xxxxxxxxxx>
[ Upstream commit bcc5364bdcfe131e6379363f089e7b4108d35b70 ]
When calculating po->tp_hdrlen + po->tp_reserve the result can overflow.
Fix by checking that tp_reserve <= INT_MAX on assign.
Signed-off-by: Andrey Konovalov <andreyknvl@xxxxxxxxxx>
Acked-by: Eric Dumazet <edumazet@xxxxxxxxxx>
Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
net/packet/af_packet.c | 2 ++
1 file changed, 2 insertions(+)
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -3626,6 +3626,8 @@ packet_setsockopt(struct socket *sock, i
return -EBUSY;
if (copy_from_user(&val, optval, sizeof(val)))
return -EFAULT;
+ if (val > INT_MAX)
+ return -EINVAL;
po->tp_reserve = val;
return 0;
}
Patches currently in stable-queue which might be from andreyknvl@xxxxxxxxxx are
queue-4.4/ipv6-check-skb-protocol-before-lookup-for-nexthop.patch
queue-4.4/net-timestamp-avoid-use-after-free-in-ip_recv_error.patch
queue-4.4/sctp-listen-on-the-sock-only-when-it-s-state-is-listening-or-closed.patch
queue-4.4/net-ipv6-rtf_pcpu-should-not-be-settable-from-userspace.patch
queue-4.4/net-packet-fix-overflow-in-check-for-tp_frame_nr.patch
queue-4.4/net-packet-fix-overflow-in-check-for-tp_reserve.patch
queue-4.4/ip6mr-fix-notification-device-destruction.patch