linux/net/rds
Dan Rosenberg 218854af84 rds: Integer overflow in RDS cmsg handling
In rds_cmsg_rdma_args(), the user-provided args->nr_local value is
restricted to less than UINT_MAX.  This seems to need a tighter upper
bound, since the calculation of total iov_size can overflow, resulting
in a small sock_kmalloc() allocation.  This would probably just result
in walking off the heap and crashing when calling rds_rdma_pages() with
a high count value.  If it somehow doesn't crash here, then memory
corruption could occur soon after.

Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2010-11-17 12:20:52 -08:00
..
af_rds.c RDS/IB: print string constants in more places 2010-09-08 18:16:50 -07:00
bind.c rds: Use RCU for the bind lookup searches 2010-09-08 18:15:08 -07:00
cong.c RDS: Bypass workqueue when queueing cong updates 2010-09-08 18:12:16 -07:00
connection.c rds: make local functions/variables static 2010-10-21 04:26:39 -07:00
ib_cm.c rds: double unlock in rds_ib_cm_handle_connect() 2010-09-19 11:59:44 -07:00
ib_rdma.c rds: make local functions/variables static 2010-10-21 04:26:39 -07:00
ib_recv.c RDS/IB: print string constants in more places 2010-09-08 18:16:50 -07:00
ib_ring.c
ib_send.c RDS: Implement masked atomic operations 2010-09-08 18:16:51 -07:00
ib_stats.c RDS: Move atomic stats from general to ib-specific area 2010-09-08 18:12:20 -07:00
ib_sysctl.c rds: make local functions/variables static 2010-10-21 04:26:39 -07:00
ib.c rds: make local functions/variables static 2010-10-21 04:26:39 -07:00
ib.h rds: make local functions/variables static 2010-10-21 04:26:39 -07:00
info.c RDS: cleanup: remove "== NULL"s and "!= NULL"s in ptr comparisons 2010-09-08 18:11:32 -07:00
info.h
iw_cm.c RDS: cleanup: remove "== NULL"s and "!= NULL"s in ptr comparisons 2010-09-08 18:11:32 -07:00
iw_rdma.c rds: make local functions/variables static 2010-10-21 04:26:39 -07:00
iw_recv.c RDS: remove __init and __exit annotation 2010-09-08 18:16:39 -07:00
iw_ring.c
iw_send.c RDS: Rename data op members prefix from m_ to op_ 2010-09-08 18:11:59 -07:00
iw_stats.c
iw_sysctl.c rds: make local functions/variables static 2010-10-21 04:26:39 -07:00
iw.c rds: make local functions/variables static 2010-10-21 04:26:39 -07:00
iw.h rds: make local functions/variables static 2010-10-21 04:26:39 -07:00
Kconfig
loop.c rds: Lost locking in loop connection freeing 2010-11-03 18:50:06 -07:00
loop.h
Makefile
message.c rds: Fix rds message leak in rds_message_map_pages 2010-11-08 12:17:09 -08:00
page.c Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 2010-10-21 08:43:05 -07:00
rdma_transport.c rds: make local functions/variables static 2010-10-21 04:26:39 -07:00
rdma_transport.h rds: make local functions/variables static 2010-10-21 04:26:39 -07:00
rdma.c rds: Integer overflow in RDS cmsg handling 2010-11-17 12:20:52 -08:00
rds.h rds: make local functions/variables static 2010-10-21 04:26:39 -07:00
recv.c rds: make local functions/variables static 2010-10-21 04:26:39 -07:00
send.c RDS: Let rds_message_alloc_sgs() return NULL 2010-10-30 16:34:18 -07:00
stats.c RDS: remove __init and __exit annotation 2010-09-08 18:16:39 -07:00
sysctl.c RDS: remove __init and __exit annotation 2010-09-08 18:16:39 -07:00
tcp_connect.c Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 2010-09-27 01:03:03 -07:00
tcp_listen.c Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 2010-09-27 01:03:03 -07:00
tcp_recv.c rds: make local functions/variables static 2010-10-21 04:26:39 -07:00
tcp_send.c rds: make local functions/variables static 2010-10-21 04:26:39 -07:00
tcp_stats.c
tcp.c rds: Remove kfreed tcp conn from list 2010-11-03 18:50:07 -07:00
tcp.h rds: make local functions/variables static 2010-10-21 04:26:39 -07:00
threads.c RDS: remove __init and __exit annotation 2010-09-08 18:16:39 -07:00
transport.c RDS: have sockets get transport module references 2010-09-08 18:16:47 -07:00
xlist.h RDS: Remove unused XLIST_PTR_TAIL and xlist_protect() 2010-09-08 18:16:06 -07:00