Re: [PATCH] Fix verify_iovec() to not allow overflow of iov_len values

From: Chris Wright <hidden>
Date: 2006-08-29 18:17:49

* Sridhar Samudrala (sri@us.ibm.com) wrote:

quoted hunk ↗ jump to hunk

-int verify_iovec(struct msghdr *m, struct iovec *iov, char *address, int mode)
+ssize_t verify_iovec(struct msghdr *m, struct iovec *iov, char *address, int mode)
 {
 	int size, err, ct;
+	ssize_t tot_len = 0;
 	
 	if (m->msg_namelen) {
 		if (mode == VERIFY_READ) {

@@ -61,17 +62,22 @@ int verify_iovec(struct msghdr *m, struc
 	err = 0;
 
 	for (ct = 0; ct < m->msg_iovlen; ct++) {
-		err += iov[ct].iov_len;
+		ssize_t len;
+
 		/*
-		 * Goal is not to verify user data, but to prevent returning
-		 * negative value, which is interpreted as errno.
-		 * Overflow is still possible, but it is harmless.
+		 * Goal is not to verify user data, but to prevent the cases 
+		 * where an iov_len value or the sum of all iov_len values
+		 * overflows ssize_t.
 		 */
-		if (err < 0)
-			return -EMSGSIZE;
+		len = (ssize_t)iov[ct].iov_len;
+		if (len < 0)
+			return -EINVAL;
+		tot_len += len;
+		if (tot_len < 0)

I specifically used size_t here, because signed integer overflow is not
defined in C.

thanks,
-chris

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help