Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp5334314ybi;
        Tue, 4 Jun 2019 05:12:47 -0700 (PDT)
X-Google-Smtp-Source: APXvYqzZwSBDOappfyKlEbYCXFVsNnq3VCrtNBMl81uUP9jd45ffzmj0tg0SiOhIpUuiZNveSi6o
X-Received: by 2002:a17:90a:a415:: with SMTP id y21mr23397211pjp.75.1559650367608;
        Tue, 04 Jun 2019 05:12:47 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1559650367; cv=none;
        d=google.com; s=arc-20160816;
        b=p9BDWzHalPyi+1DJLmnUvWVy5mdJc+aZpvibm2hVMWUVKnQZkf1T5lUZXom/4KMEnL
         5h1NmnP3vTMdtJjGR+mNGQGCfZthvdAZd84OxW9jZwkytg9i/uuDZFCsScBNPla+47sq
         KxKcnNdu9qROO+7AAUixrR2Fp0Np7VZcSNVcqghh989FNc64nCWrF0GCJj7fOEuTQkeT
         7IzmdQdwc3OzM4pdtKFQ4oEN5gi0WzQAM+S0vwp4UM1sBwrh92EUbIPU8Nhg8iTVwAih
         rEClQhc4aApl09E38IZJhWEgsNpnHrlhi1C0JLXZzMvFkqrWHtQih736apRPM7IUPGOD
         VtjQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:message-id:date:subject:cc:to:from
         :dkim-signature;
        bh=EwJYsf92ydp+RtKiuVnWST5ck78zmLqyjDy58wjkNzk=;
        b=uXOgror0DutQZO87YWOJ1cY6dNHOds1kyyspduYeqGrtkjkjSijXFNU/XjFy3D1pNV
         Np1ZQQ1kWo1VkSimGLkRd+qDJ1y9i9W7QTMpeh0QfE6P7UDCGxvlf7XTXP42t8xz0uqx
         P4ksHqMZJ6hk9Y++F4Q/HKiwczYzejeDXDZxXw70v5MKGgV8/ofEtNRuPs7PxJiMsv6G
         O5w9ZL9Qj+Wx8G/XiDP68hVsly1RViqaSBUauuzF5rBmy9bPy+NCCtZHjVA5HFgCkUWK
         l9GAA40ZFMLOL9XzAXv8MEjxgEDe/pU5AlzYMFWsS/U7l4Is/J2KJLUJ6W4/XEGCslgz
         CbRw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=ALgMXYSh;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id x13si21138564pgi.165.2019.06.04.05.12.29;
        Tue, 04 Jun 2019 05:12:47 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=ALgMXYSh;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727642AbfFDMKb (ORCPT <rfc822;testajctc@gmail.com> + 99 others);
        Tue, 4 Jun 2019 08:10:31 -0400
Received: from mail-pg1-f196.google.com ([209.85.215.196]:44643 "EHLO
        mail-pg1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726847AbfFDMKa (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 4 Jun 2019 08:10:30 -0400
Received: by mail-pg1-f196.google.com with SMTP id n2so10237829pgp.11;
        Tue, 04 Jun 2019 05:10:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=from:to:cc:subject:date:message-id;
        bh=EwJYsf92ydp+RtKiuVnWST5ck78zmLqyjDy58wjkNzk=;
        b=ALgMXYShkAFuscaf0G46Fe8IyL9l9sUJz35RiyTWOUtl+VQsGb3VE5G+kAFvWHJ989
         PzhD5ZvYnLcVx7VNy5G7ZxMWsPJ/EA4GdjGBTj1eyxgm7wi0fDim3GgYKIWP/UAlIHcK
         by1KonlJQhDWsjNTw4RJeeVd5uhcc9sFoTQe7jao13cWC/Lt2s6+rj4QdFK+EsLmCjsh
         Q9+fhsv77zWy4VweL+38l6VUado93b+f40sn8S2SE7dd8s1QPImSyoLhsooGIbYugyVS
         NNWrMuWwmz/yqigNzN2eRjfMiBv82P35nWrrgwBObfCb4jilxaFSQvDH0Pq3pLG/mElZ
         1hDw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id;
        bh=EwJYsf92ydp+RtKiuVnWST5ck78zmLqyjDy58wjkNzk=;
        b=fEvvYOCdPKfih0B/zLavoAx9/khF/4apjKuFyimkfam3BTSFJF4vgAIx9JklsOdeP5
         TJ0LxnNbhwhmmX1rrvnd+rfAwGA4+15opld29ChdLrQCikHgniapZHplDRz3RU+r55VC
         T5YUcP9ZD4r0oHMMxmdAjqNuh/vxc2PoecV9MCPgOtGvDCK+z09k2/j0hv9fENa+e5F7
         LXDsmdxoCcub0PoL9E0SnsSEJ6OvvrZJwhKkYkCGSg78iwNCd3dGjVMpELpiuTbid7rJ
         Ym+iq7olOUFHcfHWNM2YV/arYPZAJjWN+Z0lBhk+yeYpN51UDvN4GWG/CpDFjfXdR9j4
         JuJA==
X-Gm-Message-State: APjAAAUOGZHtEtpRMshMYS0L5Et3/29BxeSo3jUYxBuWzBO6xQ7ierYl
        I8pKliTYgtRbLb133dM494BIuIdSf1asFQ==
X-Received: by 2002:a63:5d45:: with SMTP id o5mr35305514pgm.40.1559650229927;
        Tue, 04 Jun 2019 05:10:29 -0700 (PDT)
Received: from xy-data.openstacklocal (ecs-159-138-22-150.compute.hwclouds-dns.com. [159.138.22.150])
        by smtp.gmail.com with ESMTPSA id s1sm14168708pgp.94.2019.06.04.05.10.26
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
        Tue, 04 Jun 2019 05:10:28 -0700 (PDT)
From:   Young Xiao <92siuyang@gmail.com>
To:     ralf@linux-mips.org, davem@davemloft.net,
        linux-hams@vger.kernel.org, netdev@vger.kernel.org,
        linux-kernel@vger.kernel.org
Cc:     Young Xiao <92siuyang@gmail.com>
Subject: [PATCH] rose: af_rose: avoid overflows in rose_setsockopt()
Date:   Tue,  4 Jun 2019 20:11:30 +0800
Message-Id: <1559650290-17054-1-git-send-email-92siuyang@gmail.com>
X-Mailer: git-send-email 2.7.4
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Check setsockopt arguments to avoid overflows and return -EINVAL for
too large arguments.

See commit 32288eb4d940 ("netrom: avoid overflows in nr_setsockopt()")
for details.

Signed-off-by: Young Xiao <92siuyang@gmail.com>
---
 net/rose/af_rose.c | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c
index e274bc6..af831ee9 100644
--- a/net/rose/af_rose.c
+++ b/net/rose/af_rose.c
@@ -372,15 +372,15 @@ static int rose_setsockopt(struct socket *sock, int level, int optname,
 {
 	struct sock *sk = sock->sk;
 	struct rose_sock *rose = rose_sk(sk);
-	int opt;
+	unsigned long opt;
 
 	if (level != SOL_ROSE)
 		return -ENOPROTOOPT;
 
-	if (optlen < sizeof(int))
+	if (optlen < sizeof(unsigned int))
 		return -EINVAL;
 
-	if (get_user(opt, (int __user *)optval))
+	if (get_user(opt, (unsigned int __user *)optval))
 		return -EFAULT;
 
 	switch (optname) {
@@ -389,31 +389,31 @@ static int rose_setsockopt(struct socket *sock, int level, int optname,
 		return 0;
 
 	case ROSE_T1:
-		if (opt < 1)
+		if (opt < 1 || opt > ULONG_MAX / HZ)
 			return -EINVAL;
 		rose->t1 = opt * HZ;
 		return 0;
 
 	case ROSE_T2:
-		if (opt < 1)
+		if (opt < 1 || opt > ULONG_MAX / HZ)
 			return -EINVAL;
 		rose->t2 = opt * HZ;
 		return 0;
 
 	case ROSE_T3:
-		if (opt < 1)
+		if (opt < 1 || opt > ULONG_MAX / HZ)
 			return -EINVAL;
 		rose->t3 = opt * HZ;
 		return 0;
 
 	case ROSE_HOLDBACK:
-		if (opt < 1)
+		if (opt < 1 || opt > ULONG_MAX / HZ)
 			return -EINVAL;
 		rose->hb = opt * HZ;
 		return 0;
 
 	case ROSE_IDLE:
-		if (opt < 0)
+		if (opt < 0 || opt > ULONG_MAX / HZ)
 			return -EINVAL;
 		rose->idle = opt * 60 * HZ;
 		return 0;
-- 
2.7.4