diff options
author | David S. Miller <davem@davemloft.net> | 2010-09-27 20:24:54 -0700 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2010-09-27 20:24:54 -0700 |
commit | 01db403cf99f739f86903314a489fb420e0e254f (patch) | |
tree | bf04fbfb3ed88d6cf7abeea1ab5209be36907882 /include | |
parent | 0b20406cda621c2495d10baab1e87127ceb43337 (diff) | |
download | linux-stable-01db403cf99f739f86903314a489fb420e0e254f.tar.gz linux-stable-01db403cf99f739f86903314a489fb420e0e254f.tar.bz2 linux-stable-01db403cf99f739f86903314a489fb420e0e254f.zip |
tcp: Fix >4GB writes on 64-bit.
Fixes kernel bugzilla #16603
tcp_sendmsg() truncates iov_len to an 'int' which a 4GB write to write
zero bytes, for example.
There is also the problem higher up of how verify_iovec() works. It
wants to prevent the total length from looking like an error return
value.
However it does this using 'int', but syscalls return 'long' (and
thus signed 64-bit on 64-bit machines). So it could trigger
false-positives on 64-bit as written. So fix it to use 'long'.
Reported-by: Olaf Bonorden <bono@onlinehome.de>
Reported-by: Daniel Büse <dbuese@gmx.de>
Reported-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'include')
-rw-r--r-- | include/linux/socket.h | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/include/linux/socket.h b/include/linux/socket.h index a2fada9becb6..a8f56e1ec760 100644 --- a/include/linux/socket.h +++ b/include/linux/socket.h @@ -322,7 +322,7 @@ extern int csum_partial_copy_fromiovecend(unsigned char *kdata, int offset, unsigned int len, __wsum *csump); -extern int verify_iovec(struct msghdr *m, struct iovec *iov, struct sockaddr *address, int mode); +extern long verify_iovec(struct msghdr *m, struct iovec *iov, struct sockaddr *address, int mode); extern int memcpy_toiovec(struct iovec *v, unsigned char *kdata, int len); extern int memcpy_toiovecend(const struct iovec *v, unsigned char *kdata, int offset, int len); |