diff options
| author | Dan Carpenter <error27@gmail.com> | 2011-01-09 23:06:58 -0500 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2011-01-10 16:33:17 -0500 |
| commit | facb4edc1e0e849ea98e147a821e60d6d6272c0a (patch) | |
| tree | 4de1206d197e889690b622593ab785b318d1905f /include | |
| parent | c599bd6b9ac8926b03e6bf332a8c14ae2ffb43a3 (diff) | |
phonet: some signedness bugs
Dan Rosenberg pointed out that there were some signed comparison bugs
in the phonet protocol.
http://marc.info/?l=full-disclosure&m=129424528425330&w=2
The problem is that we check for array overflows but "protocol" is
signed and we don't check for array underflows. If you have already
have CAP_SYS_ADMIN then you could use the bugs to get root, or someone
could cause an oops by mistake.
Signed-off-by: Dan Carpenter <error27@gmail.com>
Acked-by: RĂ©mi Denis-Courmont <remi.denis-courmont@nokia.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'include')
| -rw-r--r-- | include/net/phonet/phonet.h | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/include/net/phonet/phonet.h b/include/net/phonet/phonet.h index d5df797f9540..5395e09187df 100644 --- a/include/net/phonet/phonet.h +++ b/include/net/phonet/phonet.h | |||
| @@ -107,8 +107,8 @@ struct phonet_protocol { | |||
| 107 | int sock_type; | 107 | int sock_type; |
| 108 | }; | 108 | }; |
| 109 | 109 | ||
| 110 | int phonet_proto_register(int protocol, struct phonet_protocol *pp); | 110 | int phonet_proto_register(unsigned int protocol, struct phonet_protocol *pp); |
| 111 | void phonet_proto_unregister(int protocol, struct phonet_protocol *pp); | 111 | void phonet_proto_unregister(unsigned int protocol, struct phonet_protocol *pp); |
| 112 | 112 | ||
| 113 | int phonet_sysctl_init(void); | 113 | int phonet_sysctl_init(void); |
| 114 | void phonet_sysctl_exit(void); | 114 | void phonet_sysctl_exit(void); |