[kernel] r16506 - in dists/sid/linux-2.6/debian: . patches/bugfix/all patches/series

Ben Hutchings benh at alioth.debian.org
Sat Oct 30 08:48:50 UTC 2010 

Author: benh
Date: Sat Oct 30 08:48:46 2010
New Revision: 16506

Log:
net/socket: Limit sendto()/recvfrom() length

Added:
   dists/sid/linux-2.6/debian/patches/bugfix/all/net-socket-limit-sendto-recvfrom-length.patch
Modified:
   dists/sid/linux-2.6/debian/changelog
   dists/sid/linux-2.6/debian/patches/series/27

Modified: dists/sid/linux-2.6/debian/changelog
==============================================================================
--- dists/sid/linux-2.6/debian/changelog	Sat Oct 30 08:33:37 2010	(r16505)
+++ dists/sid/linux-2.6/debian/changelog	Sat Oct 30 08:48:46 2010	(r16506)
@@ -23,6 +23,7 @@
     - Update Vietnamese (Clytie Siddall) (Closes: #601534)
   * phonet: device notifier only runs on initial namespace
     (Really closes: #597904)
+  * net/socket: Limit sendto()/recvfrom() length
 
   [ Ian Campbell ]
   * xen: import additional fixes for disabling netfront smartpoll mode

Added: dists/sid/linux-2.6/debian/patches/bugfix/all/net-socket-limit-sendto-recvfrom-length.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/net-socket-limit-sendto-recvfrom-length.patch	Sat Oct 30 08:48:46 2010	(r16506)
@@ -0,0 +1,34 @@
+From: Linus Torvalds <torvalds at linux-foundation.org>
+Date: Fri, 29 Oct 2010 14:41:03 -0700
+
+I think you'd want this as well, to make sure that sendto/recvfrom
+don't generate invalid iovecs.
+
+Feel free to add my sign-off (or just commit it as yourself) after
+giving it some testing.
+---
+ net/socket.c |    4 ++++
+ 1 files changed, 4 insertions(+), 0 deletions(-)
+
+diff --git a/net/socket.c b/net/socket.c
+index 5247ae1..3ca2fd9 100644
+--- a/net/socket.c
++++ b/net/socket.c
+@@ -1652,6 +1652,8 @@ SYSCALL_DEFINE6(sendto, int, fd, void __user *, buff, size_t, len,
+ 	struct iovec iov;
+ 	int fput_needed;
+ 
++	if (len > INT_MAX)
++		len = INT_MAX;
+ 	sock = sockfd_lookup_light(fd, &err, &fput_needed);
+ 	if (!sock)
+ 		goto out;
+@@ -1709,6 +1711,8 @@ SYSCALL_DEFINE6(recvfrom, int, fd, void __user *, ubuf, size_t, size,
+ 	int err, err2;
+ 	int fput_needed;
+ 
++	if (size > INT_MAX)
++		size = INT_MAX;
+ 	sock = sockfd_lookup_light(fd, &err, &fput_needed);
+ 	if (!sock)
+ 		goto out;

Modified: dists/sid/linux-2.6/debian/patches/series/27
==============================================================================
--- dists/sid/linux-2.6/debian/patches/series/27	Sat Oct 30 08:33:37 2010	(r16505)
+++ dists/sid/linux-2.6/debian/patches/series/27	Sat Oct 30 08:48:46 2010	(r16506)
@@ -20,3 +20,4 @@
 + bugfix/all/drm-i915-Unset-cursor-if-out-of-bounds-upon-mode-cha.patch
 + bugfix/all/drm-i915-agp-intel-Add-second-set-of-PCI-IDs-for-B43.patch
 + bugfix/all/net-Limit-socket-I-O-iovec-total-length-to-INT_MAX.patch
++ bugfix/all/net-socket-limit-sendto-recvfrom-length.patch

More information about the Kernel-svn-changes mailing list