Check setsockopt arguments to avoid overflows and return -EINVAL for
too large arguments.
See commit 32288eb4d940 ("netrom: avoid overflows in nr_setsockopt()")
for details.
Signed-off-by: Young Xiao <92siuy...@gmail.com>
---
net/rose/af_rose.c | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c
index e274bc6..af831ee9 100644
--- a/net/rose/af_rose.c
+++ b/net/rose/af_rose.c
@@ -372,15 +372,15 @@ static int rose_setsockopt(struct socket *sock, int
level, int optname,
{
struct sock *sk = sock->sk;
struct rose_sock *rose = rose_sk(sk);
- int opt;
+ unsigned long opt;
if (level != SOL_ROSE)
return -ENOPROTOOPT;
- if (optlen < sizeof(int))
+ if (optlen < sizeof(unsigned int))
return -EINVAL;
- if (get_user(opt, (int __user *)optval))
+ if (get_user(opt, (unsigned int __user *)optval))
return -EFAULT;
switch (optname) {
@@ -389,31 +389,31 @@ static int rose_setsockopt(struct socket *sock, int
level, int optname,
return 0;
case ROSE_T1:
- if (opt < 1)
+ if (opt < 1 || opt > ULONG_MAX / HZ)
return -EINVAL;
rose->t1 = opt * HZ;
return 0;
case ROSE_T2:
- if (opt < 1)
+ if (opt < 1 || opt > ULONG_MAX / HZ)
return -EINVAL;
rose->t2 = opt * HZ;
return 0;
case ROSE_T3:
- if (opt < 1)
+ if (opt < 1 || opt > ULONG_MAX / HZ)
return -EINVAL;
rose->t3 = opt * HZ;
return 0;
case ROSE_HOLDBACK:
- if (opt < 1)
+ if (opt < 1 || opt > ULONG_MAX / HZ)
return -EINVAL;
rose->hb = opt * HZ;
return 0;
case ROSE_IDLE:
- if (opt < 0)
+ if (opt < 0 || opt > ULONG_MAX / HZ)
return -EINVAL;
rose->idle = opt * 60 * HZ;
return 0;
--
2.7.4
