lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 9 Oct 2009 17:34:49 -0700 From: "Templin, Fred L" <Fred.L.Templin@...ing.com> To: Greg KH <gregkh@...e.de>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, "stable@...nel.org" <stable@...nel.org> CC: "stable-review@...nel.org" <stable-review@...nel.org>, "torvalds@...ux-foundation.org" <torvalds@...ux-foundation.org>, "akpm@...ux-foundation.org" <akpm@...ux-foundation.org>, "alan@...rguk.ukuu.org.uk" <alan@...rguk.ukuu.org.uk>, Sascha Hlusiak <contact@...chahlusiak.de>, "David S. Miller" <davem@...emloft.net>, YOSHIFUJI Hideaki / 吉藤英明 <yoshfuji@...ux-ipv6.org> Subject: RE: [patch 37/37] sit: fix off-by-one in ipip6_tunnel_get_prl Wait a moment - I remember now that this code came from Yoshifuji, and I believe there was a reason for the cmax+1. The application is expected to know this and to post a large enough buffer. Can we put this on hold until I have had a chance to check my e-mail archives and my local iproute changes (will respond on monday)? Thanks - Fred fred.l.templin@...ing.com > -----Original Message----- > From: Greg KH [mailto:gregkh@...e.de] > Sent: Friday, October 09, 2009 4:35 PM > To: linux-kernel@...r.kernel.org; stable@...nel.org > Cc: stable-review@...nel.org; torvalds@...ux-foundation.org; akpm@...ux-foundation.org; > alan@...rguk.ukuu.org.uk; Sascha Hlusiak; Templin, Fred L; David S. Miller > Subject: [patch 37/37] sit: fix off-by-one in ipip6_tunnel_get_prl > > 2.6.31-stable review patch. If anyone has any objections, please let us know. > > ------------------ > From: Sascha Hlusiak <contact@...chahlusiak.de> > > [ Upstream commit 298bf12ddb25841804f26234a43b89da1b1c0e21 ] > > When requesting all prl entries (kprl.addr == INADDR_ANY) and there are > more prl entries than there is space passed from userspace, the existing > code would always copy cmax+1 entries, which is more than can be handled. > > This patch makes the kernel copy only exactly cmax entries. > > Signed-off-by: Sascha Hlusiak <contact@...chahlusiak.de> > Acked-By: Fred L. Templin <Fred.L.Templin@...ing.com> > Signed-off-by: David S. Miller <davem@...emloft.net> > Signed-off-by: Greg Kroah-Hartman <gregkh@...e.de> > --- > net/ipv6/sit.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > --- a/net/ipv6/sit.c > +++ b/net/ipv6/sit.c > @@ -313,7 +313,7 @@ static int ipip6_tunnel_get_prl(struct i > > c = 0; > for (prl = t->prl; prl; prl = prl->next) { > - if (c > cmax) > + if (c >= cmax) > break; > if (kprl.addr != htonl(INADDR_ANY) && prl->addr != kprl.addr) > continue; > -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists