diff options
| author | Herbert Xu <herbert@gondor.hengli.com.au> | 2010-11-30 16:51:21 +0800 |
|---|---|---|
| committer | Miloslav Trmač <mitr@redhat.com> | 2010-11-30 14:28:42 +0100 |
| commit | 2bff54b710cdb49b42d22ca2d3d0a3ee91ddc0f0 (patch) | |
| tree | 084ccaacb1e6af1f6369358e6227709e8c2eb1d1 /drivers/char/riscom8_reg.h | |
| parent | 9e43ee6d3b352093775245386edd319c4f099c50 (diff) | |
| download | kernel-crypto-herbert.tar.gz kernel-crypto-herbert.tar.xz kernel-crypto-herbert.zip | |
crypto: algif_skcipher - Fixed overflow when sndbuf is page alignedherbert
Hi:
Just noticed that algif_skcipher fails to apply the sk_sndbuf limit
correctly unless it is a multiple of PAGE_SIZE. What happens is
that the merge path will exceed sk_sndbuf causing the subsequent
limit comparison to fail as it tries to do an unsigned comparison
with a negative value.
This patch fixes the problem.
commit 0f6bb83cb12e4617e696ffa566f3fc6c092686e2
Author: Herbert Xu <herbert@gondor.apana.org.au>
Date: Tue Nov 30 16:49:02 2010 +0800
crypto: algif_skcipher - Fixed overflow when sndbuf is page aligned
When sk_sndbuf is not a multiple of PAGE_SIZE, the limit tests
in sendmsg fail as the limit variable becomes negative and we're
using an unsigned comparison.
The same thing can happen if sk_sndbuf is lowered after a sendmsg
call.
This patch fixes this by always taking the signed maximum of limit
and 0 before we perform the comparison.
It also rounds the value of sk_sndbuf down to a multiple of PAGE_SIZE
so that we don't end up allocating a page only to use a small number
of bytes in it because we're bound by sk_sndbuf.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Diffstat (limited to 'drivers/char/riscom8_reg.h')
0 files changed, 0 insertions, 0 deletions