| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <4806D847.2030806@trash.net>
Date: Thu, 17 Apr 2008 06:55:35 +0200
From: Patrick McHardy <kaber@...sh.net>
To: David Miller <davem@...emloft.net>
CC: 12o3l@...cali.nl, hadi@...erus.ca, netdev@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH] NET: catch signed nla_len() retval in tcf_simp_init()
David Miller wrote:
> From: Roel Kluin <12o3l@...cali.nl>
> Date: Thu, 17 Apr 2008 05:33:21 +0200
>
>> 'datalen' is unsigned, use 'ret' instead to catch a negative return value.
>>
>> Signed-off-by: Roel Kluin <12o3l@...cali.nl>
>> ---
>> diff --git a/net/sched/act_simple.c b/net/sched/act_simple.c
>> index fbde461..b78d015 100644
>> --- a/net/sched/act_simple.c
>> +++ b/net/sched/act_simple.c
>> @@ -114,9 +114,10 @@ static int tcf_simp_init(struct nlattr *nla, struct nlattr *est,
>> if (defdata == NULL)
>> return -EINVAL;
>>
>> - datalen = nla_len(tb[TCA_DEF_DATA]);
>> - if (datalen <= 0)
>> + ret = nla_len(tb[TCA_DEF_DATA]);
>> + if (ret <= 0)
>> return -EINVAL;
>> + datalen = ret;
>>
>> pc = tcf_hash_check(parm->index, a, bind, &simp_hash_info);
>> if (!pc) {
>
> This clobbers 'ret' which is compared to ACT_P_CREATED
> later in the function. If the !pc branch below this code
> is not taken, ret must be left at it's initial value of
> zero. Now, it will take on some non-zero positive value
> which is not correct.
The change is also unnecessary because the attribute was
already validated and the length can not be less than zero.
This patch changes it to only check for zero length.
Signed-off-by: Patrick McHardy <kaber@...sh.net>
View attachment "x" of type "text/plain" (418 bytes)
Powered by blists - more mailing lists