Re: [PATCH] netrom: fix copying in user data in nr_setsockopt
From: Dan Carpenter <hidden>
Date: 2022-01-06 14:52:49
Also in:
linux-hams
On Tue, Jan 04, 2022 at 10:21:26AM +0100, Christoph Hellwig wrote:
quoted hunk ↗ jump to hunk
This code used to copy in an unsigned long worth of data before the sockptr_t conversion, so restore that. Fixes: a7b75c5a8c41 ("net: pass a sockptr_t into ->setsockopt") Reported-by: Dan Carpenter <redacted> Signed-off-by: Christoph Hellwig <hch@lst.de> --- net/netrom/af_netrom.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c index 775064cdd0ee4..f1ba7dd3d253d 100644 --- a/net/netrom/af_netrom.c +++ b/net/netrom/af_netrom.c@@ -306,7 +306,7 @@ static int nr_setsockopt(struct socket *sock, int level, int optname, if (optlen < sizeof(unsigned int)) return -EINVAL; - if (copy_from_sockptr(&opt, optval, sizeof(unsigned int))) + if (copy_from_sockptr(&opt, optval, sizeof(unsigned long))) return -EFAULT;
No this isn't right. In the original code, it copied an unsigned int. if (get_user(opt, (unsigned int __user *)optval)) The fix is to probably to change "opt" to an unsigned int. I wonder if I need to update all the integer overflow checks to from: - if (opt > ULONG_MAX / HZ) + if (opt > UINT_MAX / HZ) ... Probably no one cares, right? Ralf? regards, dan carpenter