On Tue, 2006-08-29 at 21:44 -0700, David Miller wrote:
> From: Sridhar Samudrala <[EMAIL PROTECTED]>
> Date: Tue, 29 Aug 2006 10:55:29 -0700
>
> > verify_iovec() has the following piece of code that allows overflow
> > of iov_len values in an iovec.
> >
> > for (ct = 0; ct < m->msg_iovlen
From: Sridhar Samudrala <[EMAIL PROTECTED]>
Date: Tue, 29 Aug 2006 10:55:29 -0700
> verify_iovec() has the following piece of code that allows overflow
> of iov_len values in an iovec.
>
> for (ct = 0; ct < m->msg_iovlen; ct++) {
> err += iov[ct].iov_len;
>
On Tue, 2006-08-29 at 11:20 -0700, Chris Wright wrote:
> * Sridhar Samudrala ([EMAIL PROTECTED]) wrote:
> > -int verify_iovec(struct msghdr *m, struct iovec *iov, char *address, int
> > mode)
> > +ssize_t verify_iovec(struct msghdr *m, struct iovec *iov, char *address,
> > int mode)
> > {
> >
* Sridhar Samudrala ([EMAIL PROTECTED]) wrote:
> -int verify_iovec(struct msghdr *m, struct iovec *iov, char *address, int
> mode)
> +ssize_t verify_iovec(struct msghdr *m, struct iovec *iov, char *address, int
> mode)
> {
> int size, err, ct;
> + ssize_t tot_len = 0;
>
>
verify_iovec() has the following piece of code that allows overflow
of iov_len values in an iovec.
for (ct = 0; ct < m->msg_iovlen; ct++) {
err += iov[ct].iov_len;
/*
* Goal is not to verify user data, but to prevent returning