• R/O
  • HTTP
  • SSH
  • HTTPS

linux-2.4.36: Commit

2.4.36-stable kernel tree


Commit MetaInfo

Revision996bad4803a2ebfebe7b27a431fbcae591f7d199 (tree)
Zeit2007-11-12 02:43:25
Autordann frazier <dannf@dann...>
CommiterWilly Tarreau

Log Message

[PATCH 1/4] [OpenPROM]: Fix signedness bug in openprom char driver

CVE-2004-2731 describes two issues in the openprom driver.
The first issue, an integer overflow in copyin_string(), appears to be
fixed in 2.4. The second issue, an overflow in copyin(), is still present.

A description of both issues is here:

The user-provided 'bufsize' is checked for being too large, but is not checked
for being negative. This patch avoids this situation by making bufsize
unsigned.

This change has been in 2.6 for a number of years now:

Signed-off-by: dann frazier <dannf@hp.com>

Ändern Zusammenfassung

Diff

--- a/drivers/sbus/char/openprom.c
+++ b/drivers/sbus/char/openprom.c
@@ -68,7 +68,7 @@ static int options_node = 0;
6868 */
6969 static int copyin(struct openpromio *info, struct openpromio **opp_p)
7070 {
71- int bufsize;
71+ unsigned int bufsize;
7272
7373 if (!info || !opp_p)
7474 return -EFAULT;
Show on old repository browser