[PATCH 4/4] tipc: Fix bugs in sending of large amounts of byte-stream data
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 
From: Allan Stephens <Allan.Stephens@xxxxxxxxxxxxx>

Enhances the routine that sends data for SOCK_STREAM sockets to
fix the following issues:

- Uses "size_t" to specify the size and number of iovec array entries
  to avoid the risk of accidentally truncating data.
- No longer uses comparisons that mix signed and unsigned size values.
- Adds check to terminate sending early if continuation would require
  returning a value too large to fit in an "int".

Signed-off-by: Allan Stephens <Allan.Stephens@xxxxxxxxxxxxx>
---
 net/tipc/socket.c |   20 ++++++++++++--------
 1 files changed, 12 insertions(+), 8 deletions(-)

diff --git a/net/tipc/socket.c b/net/tipc/socket.c
index 33217fc..081eda5 100644
--- a/net/tipc/socket.c
+++ b/net/tipc/socket.c
@@ -703,12 +703,12 @@ static int send_stream(struct kiocb *iocb, struct socket *sock,
 	struct msghdr my_msg;
 	struct iovec my_iov;
 	struct iovec *curr_iov;
-	int curr_iovlen;
+	size_t curr_iovlen;
 	char __user *curr_start;
 	u32 hdr_size;
-	int curr_left;
-	int bytes_to_send;
-	int bytes_sent;
+	size_t curr_left;
+	size_t bytes_to_send;
+	size_t bytes_sent;
 	int res;
 
 	lock_sock(sk);
@@ -757,15 +757,19 @@ static int send_stream(struct kiocb *iocb, struct socket *sock,
 
 		while (curr_left) {
 			bytes_to_send = tport->max_pkt - hdr_size;
-			if (bytes_to_send > TIPC_MAX_USER_MSG_SIZE)
-				bytes_to_send = TIPC_MAX_USER_MSG_SIZE;
+			if (bytes_to_send > (size_t)TIPC_MAX_USER_MSG_SIZE)
+				bytes_to_send = (size_t)TIPC_MAX_USER_MSG_SIZE;
 			if (curr_left < bytes_to_send)
 				bytes_to_send = curr_left;
+			if (bytes_to_send > (size_t)INT_MAX - bytes_sent) {
+				res = (int)bytes_sent;
+				goto exit;
+			}
 			my_iov.iov_base = curr_start;
 			my_iov.iov_len = bytes_to_send;
 			if ((res = send_packet(NULL, sock, &my_msg, 0)) < 0) {
 				if (bytes_sent)
-					res = bytes_sent;
+					res = (int)bytes_sent;
 				goto exit;
 			}
 			curr_left -= bytes_to_send;
@@ -775,7 +779,7 @@ static int send_stream(struct kiocb *iocb, struct socket *sock,
 
 		curr_iov++;
 	}
-	res = bytes_sent;
+	res = (int)bytes_sent;
 exit:
 	release_sock(sk);
 	return res;
-- 
1.7.1.GIT

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Linux Kernel Discussion]     [Ethernet Bridging]     [Linux Wireless Networking]     [Linux Bluetooth Networking]     [Linux Networking Users]     [VLAN]     [Git]     [IETF Annouce]     [Linux Assembly]     [Security]     [Bugtraq]     [Photo]     [Singles Social Networking]     [Yosemite Information]     [MIPS Linux]     [ARM Linux Kernel]     [ARM Linux]     [Linux Virtualization]     [Linux Security]     [Linux IDE]     [Linux RAID]     [Linux SCSI]     [Free Dating]

Add to Google Powered by Linux