Hi All,
at the suggestion of Chris ([EMAIL PROTECTED]) I wrote a simple
checker to warn when the length parameter to copy_*_user was (1) an
integer and (2) not checked < 0.
As an example, the ipv6 routine rawv6_geticmpfilter gets an integer 'len'
from user space, checks that it is smaller than a struct size and then
uses length as an argument to copy_to_user:
if (get_user(len, optlen))
return -EFAULT;
if (len > sizeof(struct icmp6_filter))
len = sizeof(struct icmp6_filter);
if (put_user(len, optlen))
return -EFAULT;
if (copy_to_user(optval, &sk->tp_pinfo.tp_raw.filter, len))
return -EFAULT;
Is this a real bug? Or is the checked rule only applicable to
__copy_*_user routines rather than copy_*_user routines? (If its a real
bug, theres about 8 others that we found).
Thanks,
Dawson
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
