diff options
author | Dan Carpenter <error27@gmail.com> | 2010-10-04 02:28:36 +0000 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2010-10-05 00:40:39 -0700 |
commit | 4e18b3edf71f5d4ad653e3c2ff6560878e965f96 (patch) | |
tree | 63487292026992afbf5226f44bec12a1264686e9 /net | |
parent | 51e97a12bef19b7e43199fc153cf9bd5f2140362 (diff) | |
download | kernel_samsung_aries-4e18b3edf71f5d4ad653e3c2ff6560878e965f96.zip kernel_samsung_aries-4e18b3edf71f5d4ad653e3c2ff6560878e965f96.tar.gz kernel_samsung_aries-4e18b3edf71f5d4ad653e3c2ff6560878e965f96.tar.bz2 |
cls_u32: signedness bug
skb_headroom() is unsigned so "skb_headroom(skb) + toff" is also
unsigned and can't be less than zero. This test was added in 66d50d25:
"u32: negative offset fix" It was supposed to fix a regression.
Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
-rw-r--r-- | net/sched/cls_u32.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/net/sched/cls_u32.c b/net/sched/cls_u32.c index 7416a5c..b0c2a82 100644 --- a/net/sched/cls_u32.c +++ b/net/sched/cls_u32.c @@ -137,7 +137,7 @@ next_knode: int toff = off + key->off + (off2 & key->offmask); __be32 *data, _data; - if (skb_headroom(skb) + toff < 0) + if (skb_headroom(skb) + toff > INT_MAX) goto out; data = skb_header_pointer(skb, toff, 4, &_data); |