[PATCH 1/4] [OpenPROM]: Fix signedness bug in openprom char driver

CVE-2004-2731 describes two issues in the openprom driver.
The first issue, an integer overflow in copyin_string(), appears to be
fixed in 2.4. The second issue, an overflow in copyin(), is still present.

A description of both issues is here:
  http://www.securityfocus.com/archive/1/367575

The user-provided 'bufsize' is checked for being too large, but is not checked
for being negative. This patch avoids this situation by making bufsize
unsigned.

This change has been in 2.6 for a number of years now:
  http://linux.bkbits.net:8080/linux-2.6/?PAGE=patch&REV=3d686423le0SEotURGfYEbgMpPGKqw

Signed-off-by: dann frazier <dannf@hp.com>

diff --git a/drivers/sbus/char/openprom.c b/drivers/sbus/char/openprom.c
index 7f74f9f..33e4ec7 100644 (file)
--- a/drivers/sbus/char/openprom.c
+++ b/drivers/sbus/char/openprom.c
@@ -68,7 +68,7 @@ static int options_node = 0;
  */
 static int copyin(struct openpromio *info, struct openpromio **opp_p)
 {
-       int bufsize;
+       unsigned int bufsize;
 
        if (!info || !opp_p)
                return -EFAULT;