If you pass a huge nlen value into sys_sysctl() it will loop for hours
printing billions of question marks, so range-check the arguments.

Also, remove the code which informs the user that the sysctl is obsolete: it
allows unprivileged users to spam the logs.



---

 kernel/sysctl.c |   20 +++-----------------
 1 files changed, 3 insertions(+), 17 deletions(-)

diff -puN kernel/sysctl.c~sysctl-nlen-check kernel/sysctl.c
--- 25/kernel/sysctl.c~sysctl-nlen-check	2004-02-19 21:13:03.000000000 -0800
+++ 25-akpm/kernel/sysctl.c	2004-02-19 21:31:20.000000000 -0800
@@ -908,27 +908,13 @@ int do_sysctl(int __user *name, int nlen
 asmlinkage long sys_sysctl(struct __sysctl_args __user *args)
 {
 	struct __sysctl_args tmp;
-	int name[2];
 	int error;
 
 	if (copy_from_user(&tmp, args, sizeof(tmp)))
 		return -EFAULT;
-	
-	if (tmp.nlen != 2 || copy_from_user(name, tmp.name, sizeof(name)) ||
-	    name[0] != CTL_KERN || name[1] != KERN_VERSION) { 
-		int i;
-		printk(KERN_INFO "%s: numerical sysctl ", current->comm); 
-		for (i = 0; i < tmp.nlen; i++) {
-			int n;
-			
-			if (get_user(n, tmp.name+i)) {
-				printk("? ");
-			} else {
-				printk("%d ", n);
-			}
-		}
-		printk("is obsolete.\n");
-	} 
+
+	if (tmp.nlen < 0 || tmp.nlen > CTL_MAXNAME)
+		return -EINVAL;
 
 	lock_kernel();
 	error = do_sysctl(tmp.name, tmp.nlen, tmp.oldval, tmp.oldlenp,

_