Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
tjh.dev
kernel
os
linux
tcp: Fix >4GB writes on 64-bit.
Fixes kernel bugzilla #16603
tcp_sendmsg() truncates iov_len to an 'int' which a 4GB write to write
zero bytes, for example.
There is also the problem higher up of how verify_iovec() works. It
wants to prevent the total length from looking like an error return
value.
However it does this using 'int', but syscalls return 'long' (and
thus signed 64-bit on 64-bit machines). So it could trigger
false-positives on 64-bit as written. So fix it to use 'long'.
Reported-by: Olaf Bonorden <bono@onlinehome.de>
Reported-by: Daniel Büse <dbuese@gmx.de>
Reported-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
+1
-1
include/linux/socket.h
+1
-1
include/linux/socket.h
···
322
322
int offset,
323
323
unsigned int len, __wsum *csump);
324
324
325
-
extern int verify_iovec(struct msghdr *m, struct iovec *iov, struct sockaddr *address, int mode);
325
+
extern long verify_iovec(struct msghdr *m, struct iovec *iov, struct sockaddr *address, int mode);
326
326
extern int memcpy_toiovec(struct iovec *v, unsigned char *kdata, int len);
327
327
extern int memcpy_toiovecend(const struct iovec *v, unsigned char *kdata,
328
328
int offset, int len);
+3
-2
net/core/iovec.c
+3
-2
net/core/iovec.c
···
35
35
* in any case.
36
36
*/
37
37
38
-
int verify_iovec(struct msghdr *m, struct iovec *iov, struct sockaddr *address, int mode)
38
+
long verify_iovec(struct msghdr *m, struct iovec *iov, struct sockaddr *address, int mode)
39
39
{
40
-
int size, err, ct;
40
+
int size, ct;
41
+
long err;
41
42
42
43
if (m->msg_namelen) {
43
44
if (mode == VERIFY_READ) {