forge/linux-pinenote
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

net: ipmr: limit MRT_TABLE identifiers

Browse source 
Name of pimreg devices are built from following format :

char name[IFNAMSIZ]; // IFNAMSIZ == 16

sprintf(name, "pimreg%u", mrt->id);

We must therefore limit mrt->id to 9 decimal digits
or risk a buffer overflow and a crash.

Restrict table identifiers in [0 ... 999999999] interval.

Reported-by: Chen Gang <gang.chen@asianux.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Eric Dumazet 2012-11-25 09:44:29 +00:00 committed by David S. Miller
commit b49d3c1e1c
1 changed files with 4 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

4
net/ipv4/ipmr.c
View file

@ -1318,6 +1318,10 @@ int ip_mroute_setsockopt(struct sock *sk, int optname, char __user *optval, unsi
if (get_user(v, (u32 __user *)optval)) if (get_user(v, (u32 __user *)optval))
return -EFAULT; return -EFAULT;
/* "pimreg%u" should not exceed 16 bytes (IFNAMSIZ) */
if (v != RT_TABLE_DEFAULT && v >= 1000000000)
return -EINVAL;
rtnl_lock(); rtnl_lock();
ret = 0; ret = 0;
if (sk == rtnl_dereference(mrt->mroute_sk)) { if (sk == rtnl_dereference(mrt->mroute_sk)) {