lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <50B2C470.5090802@asianux.com>
Date:	Mon, 26 Nov 2012 09:22:56 +0800
From:	Chen Gang <gang.chen@...anux.com>
To:	Eric Dumazet <eric.dumazet@...il.com>
CC:	David Miller <davem@...emloft.net>, netdev <netdev@...r.kernel.org>
Subject: Re: [PATCH] net: ipmr: limit MRT_TABLE identifiers

于 2012年11月26日 03:44, Eric Dumazet 写道:
> From: Eric Dumazet <edumazet@...gle.com>
> 
> Name of pimreg devices are built from following format :
> 
> char name[IFNAMSIZ]; // IFNAMSIZ == 16
> 
> sprintf(name, "pimreg%u", mrt->id);
> 
> We must therefore limit mrt->id to 9 decimal digits
> or risk a buffer overflow and a crash.
> 
> Restrict table identifiers in [0 ... 999999999] interval.
> 

  if we have to stick to "pimreg%u" (or will hurt the functional features)
  suggest to let user mode know this limitation. 
    define a macro in public header (user mode can know it) and give comments.
    use macro instead of number.
    remove the comments which is inside internal function.

  thanks.

gchen.


> Reported-by: Chen Gang <gang.chen@...anux.com>
> Signed-off-by: Eric Dumazet <edumazet@...gle.com>
> ---
>  net/ipv4/ipmr.c |    4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c
> index 6168c4d..3eab2b2 100644
> --- a/net/ipv4/ipmr.c
> +++ b/net/ipv4/ipmr.c
> @@ -1318,6 +1318,10 @@ int ip_mroute_setsockopt(struct sock *sk, int optname, char __user *optval, unsi
>  		if (get_user(v, (u32 __user *)optval))
>  			return -EFAULT;
>  
> +		/* "pimreg%u" should not exceed 16 bytes (IFNAMSIZ) */
> +		if (v != RT_TABLE_DEFAULT && v >= 1000000000)
> +			return -EINVAL;
> +
>  		rtnl_lock();
>  		ret = 0;
>  		if (sk == rtnl_dereference(mrt->mroute_sk)) {
> 
> 
> 
> 


-- 
Chen Gang

Asianux Corporation
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ