From 996bad4803a2ebfebe7b27a431fbcae591f7d199 Mon Sep 17 00:00:00 2001
From: dann frazier <dannf@dannf.org>
Date: Tue, 6 Nov 2007 15:36:46 -0700
Subject: [PATCH] [PATCH 1/4] [OpenPROM]: Fix signedness bug in openprom char
 driver

CVE-2004-2731 describes two issues in the openprom driver.
The first issue, an integer overflow in copyin_string(), appears to be
fixed in 2.4. The second issue, an overflow in copyin(), is still present.

A description of both issues is here:
  http://www.securityfocus.com/archive/1/367575

The user-provided 'bufsize' is checked for being too large, but is not checked
for being negative. This patch avoids this situation by making bufsize
unsigned.

This change has been in 2.6 for a number of years now:
  http://linux.bkbits.net:8080/linux-2.6/?PAGE=patch&REV=3d686423le0SEotURGfYEbgMpPGKqw

Signed-off-by: dann frazier <dannf@hp.com>
---
 drivers/sbus/char/openprom.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/sbus/char/openprom.c b/drivers/sbus/char/openprom.c
index 7f74f9f3..33e4ec7c 100644
--- a/drivers/sbus/char/openprom.c
+++ b/drivers/sbus/char/openprom.c
@@ -68,7 +68,7 @@ static int options_node = 0;
  */
 static int copyin(struct openpromio *info, struct openpromio **opp_p)
 {
-	int bufsize;
+	unsigned int bufsize;
 
 	if (!info || !opp_p)
 		return -EFAULT;
-- 
2.11.0