blob: 38f08b677ff5cb107794d9374bcc0ed4ee0bb6e7 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
|
Description: net: Negative socket receive buffer size permitted
References:
Notes:
bwh> Prior to commit 82981930125a "net: cleanups in sock_setsockopt()":
bwh> - The comparison with SOCK_MIN_SNDBUF used type int, so it
bwh> rejected negative values
bwh> - The comparison with SOCK_MIN_RCVBUF used type size_t, so it did
bwh> *not* reject negative values
bwh> - The comparisons of val with sysctl_wmem_max used type u32, so
bwh> they rejected negative values *unless* sysctl_wmem_max >=
bwh> 1 << 30 (and why would you set it that high?!)
bwh> So it was possible to set a negative value for sock::sk_rcvbuf
bwh> through SO_RCVBUFFORCE (escalation from CAP_NET_ADMIN to kernel)
bwh> or through SO_RCVBUF (escalation from user to kernel) iff
bwh> sysctl_wmem_max was large enough.
Bugs:
upstream: released (3.5-rc1) [82981930125abfd39d7c8378a9cfdf5e1be2002b]
3.16-upstream-stable: N/A "Fixed before initial 3.16 release"
3.2-upstream-stable: released (3.2.85) [net-cleanups-in-sock_setsockopt.patch]
sid: released (3.8.11-1)
3.16-jessie-security: N/A "Fixed before initial 3.16 release"
3.2-wheezy-security: released (3.2.84-1) [bugfix/all/net-cleanups-in-sock_setsockopt.patch]
|