Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756778AbcJWVoK (ORCPT ); Sun, 23 Oct 2016 17:44:10 -0400 Received: from shards.monkeyblade.net ([184.105.139.130]:56472 "EHLO shards.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752145AbcJWVoH (ORCPT ); Sun, 23 Oct 2016 17:44:07 -0400 Date: Sun, 23 Oct 2016 17:44:05 -0400 (EDT) Message-Id: <20161023.174405.1335530959467229046.davem@davemloft.net> To: jslaby@suse.cz Cc: vyasevich@gmail.com, linux-kernel@vger.kernel.org, nhorman@tuxdriver.com, linux-sctp@vger.kernel.org, netdev@vger.kernel.org Subject: Re: [PATCH] net: sctp, forbid negative length From: David Miller In-Reply-To: <20161021121324.13942-1-jslaby@suse.cz> References: <20161021121324.13942-1-jslaby@suse.cz> X-Mailer: Mew version 6.7 on Emacs 24.5 / Mule 6.0 (HANACHIRUSATO) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.5.12 (shards.monkeyblade.net [149.20.54.216]); Sun, 23 Oct 2016 14:44:06 -0700 (PDT) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 843 Lines: 24 From: Jiri Slaby Date: Fri, 21 Oct 2016 14:13:24 +0200 > Most of getsockopt handlers in net/sctp/socket.c check len against > sizeof some structure like: > if (len < sizeof(int)) > return -EINVAL; > > On the first look, the check seems to be correct. But since len is int > and sizeof returns size_t, int gets promoted to unsigned size_t too. So > the test returns false for negative lengths. Yes, (-1 < sizeof(long)) is > false. > > Fix this in sctp by explicitly checking len < 0 before any getsockopt > handler is called. > > Note that sctp_getsockopt_events already handled the negative case. > Since we added the < 0 check elsewhere, this one can be removed. > > If not checked, this is the result: ... > Signed-off-by: Jiri Slaby Applied and queued up for -stable, thanks.