diff options
author | David S. Miller <davem@davemloft.net> | 2010-09-28 05:24:54 +0200 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2010-09-28 05:24:54 +0200 |
commit | 01db403cf99f739f86903314a489fb420e0e254f (patch) | |
tree | bf04fbfb3ed88d6cf7abeea1ab5209be36907882 /net/core/iovec.c | |
parent | net/9p: Mount only matching virtio channels (diff) | |
download | linux-01db403cf99f739f86903314a489fb420e0e254f.tar.xz linux-01db403cf99f739f86903314a489fb420e0e254f.zip |
tcp: Fix >4GB writes on 64-bit.
Fixes kernel bugzilla #16603
tcp_sendmsg() truncates iov_len to an 'int' which a 4GB write to write
zero bytes, for example.
There is also the problem higher up of how verify_iovec() works. It
wants to prevent the total length from looking like an error return
value.
However it does this using 'int', but syscalls return 'long' (and
thus signed 64-bit on 64-bit machines). So it could trigger
false-positives on 64-bit as written. So fix it to use 'long'.
Reported-by: Olaf Bonorden <bono@onlinehome.de>
Reported-by: Daniel Büse <dbuese@gmx.de>
Reported-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/core/iovec.c')
-rw-r--r-- | net/core/iovec.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/net/core/iovec.c b/net/core/iovec.c index 1cd98df412df..e6b133b77ccb 100644 --- a/net/core/iovec.c +++ b/net/core/iovec.c @@ -35,9 +35,10 @@ * in any case. */ -int verify_iovec(struct msghdr *m, struct iovec *iov, struct sockaddr *address, int mode) +long verify_iovec(struct msghdr *m, struct iovec *iov, struct sockaddr *address, int mode) { - int size, err, ct; + int size, ct; + long err; if (m->msg_namelen) { if (mode == VERIFY_READ) { |