May be nothing, but it looks like SO_*BUF may have signedness issues (have
these been picked up by the Stanford tools and fixed in recent 2.4.x?)
int val;
...
case SO_SNDBUF:
if (val > sysctl_wmem_max)
val = sysctl_wmem_max;
sk->sndbuf = max(val*2,2048);
If val is negative, then sk->sndbuf ends up negative. This is because the
arguments to max are passed as _unsigned_ ints. SO_RCVBUF has similar
issues. Maybe a nasty local user could use this to chew up memory?
Cheers
Chris
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/