[kernel] r16506 - in dists/sid/linux-2.6/debian: . patches/bugfix/all patches/series
Ben Hutchings
benh at alioth.debian.org
Sat Oct 30 08:48:50 UTC 2010
Author: benh
Date: Sat Oct 30 08:48:46 2010
New Revision: 16506
Log:
net/socket: Limit sendto()/recvfrom() length
Added:
dists/sid/linux-2.6/debian/patches/bugfix/all/net-socket-limit-sendto-recvfrom-length.patch
Modified:
dists/sid/linux-2.6/debian/changelog
dists/sid/linux-2.6/debian/patches/series/27
Modified: dists/sid/linux-2.6/debian/changelog
==============================================================================
--- dists/sid/linux-2.6/debian/changelog Sat Oct 30 08:33:37 2010 (r16505)
+++ dists/sid/linux-2.6/debian/changelog Sat Oct 30 08:48:46 2010 (r16506)
@@ -23,6 +23,7 @@
- Update Vietnamese (Clytie Siddall) (Closes: #601534)
* phonet: device notifier only runs on initial namespace
(Really closes: #597904)
+ * net/socket: Limit sendto()/recvfrom() length
[ Ian Campbell ]
* xen: import additional fixes for disabling netfront smartpoll mode
Added: dists/sid/linux-2.6/debian/patches/bugfix/all/net-socket-limit-sendto-recvfrom-length.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/net-socket-limit-sendto-recvfrom-length.patch Sat Oct 30 08:48:46 2010 (r16506)
@@ -0,0 +1,34 @@
+From: Linus Torvalds <torvalds at linux-foundation.org>
+Date: Fri, 29 Oct 2010 14:41:03 -0700
+
+I think you'd want this as well, to make sure that sendto/recvfrom
+don't generate invalid iovecs.
+
+Feel free to add my sign-off (or just commit it as yourself) after
+giving it some testing.
+---
+ net/socket.c | 4 ++++
+ 1 files changed, 4 insertions(+), 0 deletions(-)
+
+diff --git a/net/socket.c b/net/socket.c
+index 5247ae1..3ca2fd9 100644
+--- a/net/socket.c
++++ b/net/socket.c
+@@ -1652,6 +1652,8 @@ SYSCALL_DEFINE6(sendto, int, fd, void __user *, buff, size_t, len,
+ struct iovec iov;
+ int fput_needed;
+
++ if (len > INT_MAX)
++ len = INT_MAX;
+ sock = sockfd_lookup_light(fd, &err, &fput_needed);
+ if (!sock)
+ goto out;
+@@ -1709,6 +1711,8 @@ SYSCALL_DEFINE6(recvfrom, int, fd, void __user *, ubuf, size_t, size,
+ int err, err2;
+ int fput_needed;
+
++ if (size > INT_MAX)
++ size = INT_MAX;
+ sock = sockfd_lookup_light(fd, &err, &fput_needed);
+ if (!sock)
+ goto out;
Modified: dists/sid/linux-2.6/debian/patches/series/27
==============================================================================
--- dists/sid/linux-2.6/debian/patches/series/27 Sat Oct 30 08:33:37 2010 (r16505)
+++ dists/sid/linux-2.6/debian/patches/series/27 Sat Oct 30 08:48:46 2010 (r16506)
@@ -20,3 +20,4 @@
+ bugfix/all/drm-i915-Unset-cursor-if-out-of-bounds-upon-mode-cha.patch
+ bugfix/all/drm-i915-agp-intel-Add-second-set-of-PCI-IDs-for-B43.patch
+ bugfix/all/net-Limit-socket-I-O-iovec-total-length-to-INT_MAX.patch
++ bugfix/all/net-socket-limit-sendto-recvfrom-length.patch
More information about the Kernel-svn-changes
mailing list