android_kernel_xiaomi_sm8350/net/rds
Dan Rosenberg 218854af84 rds: Integer overflow in RDS cmsg handling
In rds_cmsg_rdma_args(), the user-provided args->nr_local value is
restricted to less than UINT_MAX.  This seems to need a tighter upper
bound, since the calculation of total iov_size can overflow, resulting
in a small sock_kmalloc() allocation.  This would probably just result
in walking off the heap and crashing when calling rds_rdma_pages() with
a high count value.  If it somehow doesn't crash here, then memory
corruption could occur soon after.

Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2010-11-17 12:20:52 -08:00
..
af_rds.c
bind.c
cong.c
connection.c
ib_cm.c
ib_rdma.c
ib_recv.c
ib_ring.c
ib_send.c
ib_stats.c
ib_sysctl.c
ib.c
ib.h
info.c
info.h
iw_cm.c
iw_rdma.c
iw_recv.c
iw_ring.c
iw_send.c
iw_stats.c
iw_sysctl.c
iw.c
iw.h
Kconfig
loop.c rds: Lost locking in loop connection freeing 2010-11-03 18:50:06 -07:00
loop.h
Makefile
message.c rds: Fix rds message leak in rds_message_map_pages 2010-11-08 12:17:09 -08:00
page.c
rdma_transport.c
rdma_transport.h
rdma.c rds: Integer overflow in RDS cmsg handling 2010-11-17 12:20:52 -08:00
rds.h
recv.c
send.c RDS: Let rds_message_alloc_sgs() return NULL 2010-10-30 16:34:18 -07:00
stats.c
sysctl.c
tcp_connect.c
tcp_listen.c
tcp_recv.c
tcp_send.c
tcp_stats.c
tcp.c rds: Remove kfreed tcp conn from list 2010-11-03 18:50:07 -07:00
tcp.h
threads.c
transport.c
xlist.h