On Mon, Jan 10, 2022 at 11:07:08AM +0100, Pavel Machek wrote:
Hi!
From: Christoph Hellwig hch@lst.de
commit 3087a6f36ee028ec095c04a8531d7d33899b7fed upstream.
This code used to copy in an unsigned long worth of data before the sockptr_t conversion, so restore that.
Maybe, but then the size checks need to be updated, too.
Reported-by: Dan Carpenter dan.carpenter@oracle.com Signed-off-by: Christoph Hellwig hch@lst.de Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
net/netrom/af_netrom.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/netrom/af_netrom.c +++ b/net/netrom/af_netrom.c @@ -306,7 +306,7 @@ static int nr_setsockopt(struct socket * if (optlen < sizeof(unsigned int))
This should be < sizeof(unsigned long)) ... AFAICT.
return -EINVAL;
Yeah. This patch isn't right. I sent a follow on that changes everything to unsigned int. Originally it was:
if (get_user(opt, (unsigned int __user *)optval))
Which copies an unsigned int from the user into an unsigned long opt variable.
My fix is required to fix an uninitialized data bug in a7b75c5a8c41 ("net: pass a sockptr_t into ->setsockopt"). It would be sligthly more complicated to just backport my fix without first backporting this one and it would look sort of weird. So I think it's better to backport this and then mine.
regards, dan carpenter