linux/net
Dan Rosenberg 218854af84 rds: Integer overflow in RDS cmsg handling
In rds_cmsg_rdma_args(), the user-provided args->nr_local value is
restricted to less than UINT_MAX.  This seems to need a tighter upper
bound, since the calculation of total iov_size can overflow, resulting
in a small sock_kmalloc() allocation.  This would probably just result
in walking off the heap and crashing when calling rds_rdma_pages() with
a high count value.  If it somehow doesn't crash here, then memory
corruption could occur soon after.

Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2010-11-17 12:20:52 -08:00
..
9p net/9p: Return error on read with NULL buffer 2010-10-28 09:08:49 -05:00
802 net/802: add __rcu annotations 2010-10-25 13:09:44 -07:00
8021q vlan: rcu annotations 2010-10-25 13:09:43 -07:00
appletalk
atm Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6 2010-10-23 11:47:02 -07:00
ax25 net: ax25: fix information leak to userland 2010-11-10 10:14:33 -08:00
bluetooth Bluetooth: fix not setting security level when creating a rfcomm session 2010-11-09 00:56:10 -02:00
bridge bridge: Forward reserved group addresses if !STP 2010-10-21 04:25:48 -07:00
caif caif: Remove noisy printout when disconnecting caif socket 2010-11-03 18:50:04 -07:00
can can-bcm: fix minor heap overflow 2010-11-12 14:07:14 -08:00
ceph ceph: fix num_pages_free accounting in pagelist 2010-10-20 15:38:23 -07:00
core rtnetlink: Fix message size calculation for link messages 2010-11-12 10:53:09 -08:00
dcb
dccp dccp ccid-2: Stop polling 2010-10-28 10:27:01 -07:00
decnet net: avoid limits overflow 2010-11-10 12:12:00 -08:00
dns_resolver DNS: If the DNS server returns an error, allow that to be cached [ver #2] 2010-08-11 17:11:28 +00:00
dsa phylib: available for any speed ethernet 2010-08-11 23:03:50 -07:00
econet net: return operator cleanup 2010-09-23 14:33:39 -07:00
ethernet net: return operator cleanup 2010-09-23 14:33:39 -07:00
ieee802154
ipv4 xfrm: update flowi saddr in icmp_send if unset 2010-11-16 11:43:39 -08:00
ipv6 ipv6: Warn users if maximum number of routes is reached. 2010-11-12 14:03:24 -08:00
ipx BKL: introduce CONFIG_BKL. 2010-10-21 15:44:13 +02:00
irda irda: irttp: allow zero byte packets 2010-11-16 09:50:47 -08:00
iucv [S390] cleanup lowcore access from external interrupts 2010-10-25 16:10:19 +02:00
key net: return operator cleanup 2010-09-23 14:33:39 -07:00
l2tp l2tp: kzalloc with swapped params in l2tp_dfs_seq_open 2010-11-01 06:56:02 -07:00
lapb
llc net/llc: storing negative error codes in unsigned short 2010-09-16 22:38:23 -07:00
mac80211 mac80211: unset SDATA_STATE_OFFCHANNEL when cancelling a scan 2010-11-08 16:53:47 -05:00
netfilter Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6 2010-11-03 18:52:32 -07:00
netlabel
netlink netlink: fix netlink_change_ngroups() 2010-10-24 16:25:39 -07:00
netrom
packet net: Fix header size check for GSO case in recvmsg (af_packet) 2010-11-12 11:06:46 -08:00
phonet phonet: remove the unused variable pn 2010-10-20 01:55:54 -07:00
rds rds: Integer overflow in RDS cmsg handling 2010-11-17 12:20:52 -08:00
rfkill Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6 2010-10-23 11:47:02 -07:00
rose Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 2010-09-27 01:03:03 -07:00
rxrpc Add a dummy printk function for the maintenance of unused printks 2010-08-12 09:51:35 -07:00
sched classifier: report statistics for basic classifier 2010-11-08 12:17:05 -08:00
sctp net: avoid limits overflow 2010-11-10 12:12:00 -08:00
sunrpc convert get_sb_single() users 2010-10-29 04:16:28 -04:00
tipc net: tipc: fix information leak to userland 2010-11-09 09:25:46 -08:00
unix fs: allow for more than 2^31 files 2010-10-26 16:52:15 -07:00
wanrouter fix printk typo 'faild' 2010-08-09 11:25:17 +02:00
wimax
wireless cfg80211: fix a crash in dev lookup on dump commands 2010-11-08 16:53:47 -05:00
x25 x25: Prevent crashing when parsing bad X.25 facilities 2010-11-12 12:44:42 -08:00
xfrm xfrm: make xfrm_bundle_ok local 2010-10-21 03:09:46 -07:00
compat.c net: Limit socket I/O iovec total length to INT_MAX. 2010-10-28 11:47:52 -07:00
Kconfig ceph: factor out libceph from Ceph file system 2010-10-20 15:37:28 -07:00
Makefile ceph: factor out libceph from Ceph file system 2010-10-20 15:37:28 -07:00
nonet.c llseek: automatically add .llseek fop 2010-10-15 15:53:27 +02:00
socket.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6 2010-10-30 18:42:58 -07:00
sysctl_net.c
TUNABLE