[PATCH] sysctl: fix min/max handling in__do_proc_doulongvec_minmax()

From: Eric Dumazet
Date: Sat Oct 02 2010 - 09:18:10 EST

Next message: Eric Dumazet: "Re: [Patch] Limit sysctl_tcp_mem and sysctl_udp_mem initializersto prevent integer overflows."
Previous message: Wim Van Sebroeck: "Re: [PATCHv3 0/3] watchdog: add f71862fg support"
Next in thread: AmÃrico Wang: "Re: [PATCH] sysctl: fix min/max handling in__do_proc_doulongvec_minmax()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

When proc_doulongvec_minmax() is used with an array of longs,
and no min/max check requested (.extra1 or .extra2 being NULL), we
dereference a NULL pointer for the second element of the array.

Noticed while doing some changes in network stack for the "16TB problem"

Signed-off-by: Eric Dumazet <eric.dumazet@xxxxxxxxx>
---
kernel/sysctl.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index f88552c..4fba86d 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -2500,7 +2500,8 @@ static int __do_proc_doulongvec_minmax(void *data, struct ctl_table *table, int
break;
if (neg)
continue;
- if ((min && val < *min) || (max && val > *max))
+ if ((table->extra1 && val < *min) ||
+ (table->extra2 && val > *max))
continue;
*i = val;
} else {

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Eric Dumazet: "Re: [Patch] Limit sysctl_tcp_mem and sysctl_udp_mem initializersto prevent integer overflows."
Previous message: Wim Van Sebroeck: "Re: [PATCHv3 0/3] watchdog: add f71862fg support"
Next in thread: AmÃrico Wang: "Re: [PATCH] sysctl: fix min/max handling in__do_proc_doulongvec_minmax()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]