2.4.36-stable kernel tree
|Autor||dann frazier <dannf@dann...>|
[PATCH 1/4] [OpenPROM]: Fix signedness bug in openprom char driver
CVE-2004-2731 describes two issues in the openprom driver.
The first issue, an integer overflow in copyin_string(), appears to be
fixed in 2.4. The second issue, an overflow in copyin(), is still present.
A description of both issues is here:
The user-provided 'bufsize' is checked for being too large, but is not checked
for being negative. This patch avoids this situation by making bufsize
This change has been in 2.6 for a number of years now:
Signed-off-by: dann frazier <firstname.lastname@example.org>
|@@ -68,7 +68,7 @@ static int options_node = 0;|
|69||69||static int copyin(struct openpromio *info, struct openpromio **opp_p)|
|71||- int bufsize;|
|71||+ unsigned int bufsize;|
|73||73||if (!info || !opp_p)|