• R/O
  • HTTP
  • SSH

linux-2.4.36: Commit

2.4.36-stable kernel tree

Commit MetaInfo

Revision996bad4803a2ebfebe7b27a431fbcae591f7d199 (tree)
Zeit2007-11-12 02:43:25
Autordann frazier <dannf@dann...>
CommiterWilly Tarreau

Log Message

[PATCH 1/4] [OpenPROM]: Fix signedness bug in openprom char driver

CVE-2004-2731 describes two issues in the openprom driver.
The first issue, an integer overflow in copyin_string(), appears to be
fixed in 2.4. The second issue, an overflow in copyin(), is still present.

A description of both issues is here:

The user-provided 'bufsize' is checked for being too large, but is not checked
for being negative. This patch avoids this situation by making bufsize

This change has been in 2.6 for a number of years now:

Signed-off-by: dann frazier <dannf@hp.com>

Ändern Zusammenfassung


--- a/drivers/sbus/char/openprom.c
+++ b/drivers/sbus/char/openprom.c
@@ -68,7 +68,7 @@ static int options_node = 0;
6868 */
6969 static int copyin(struct openpromio *info, struct openpromio **opp_p)
7070 {
71- int bufsize;
71+ unsigned int bufsize;
7373 if (!info || !opp_p)
7474 return -EFAULT;
Show on old repository browser