Re: [PATCH] netrom: fix copying in user data in nr_setsockopt

From: Dan Carpenter <hidden>
Date: 2022-01-06 14:52:49
Also in: linux-hams

On Tue, Jan 04, 2022 at 10:21:26AM +0100, Christoph Hellwig wrote:

quoted hunk ↗ jump to hunk

This code used to copy in an unsigned long worth of data before
the sockptr_t conversion, so restore that.

Fixes: a7b75c5a8c41 ("net: pass a sockptr_t into ->setsockopt")
Reported-by: Dan Carpenter <redacted>
Signed-off-by: Christoph Hellwig <hch@lst.de>
---
 net/netrom/af_netrom.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c
index 775064cdd0ee4..f1ba7dd3d253d 100644
--- a/net/netrom/af_netrom.c
+++ b/net/netrom/af_netrom.c

@@ -306,7 +306,7 @@ static int nr_setsockopt(struct socket *sock, int level, int optname,
 	if (optlen < sizeof(unsigned int))
 		return -EINVAL;
 
-	if (copy_from_sockptr(&opt, optval, sizeof(unsigned int)))
+	if (copy_from_sockptr(&opt, optval, sizeof(unsigned long)))
 		return -EFAULT;

No this isn't right.  In the original code, it copied an unsigned int.

	if (get_user(opt, (unsigned int __user *)optval))

The fix is to probably to change "opt" to an unsigned int.  I wonder if
I need to update all the integer overflow checks to from:

-	if (opt > ULONG_MAX / HZ)
+	if (opt > UINT_MAX / HZ)

...

Probably no one cares, right?  Ralf?

regards,
dan carpenter

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help