diff options
author | Eric Dumazet <edumazet@google.com> | 2012-11-25 09:44:29 +0000 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2012-11-26 17:36:59 -0500 |
commit | b49d3c1e1c948d76d64790abe9acffa9fa747d19 (patch) | |
tree | df232ca487f9abb44f5be051addfe7bc8d96f484 | |
parent | e1a676424c290b1c8d757e3860170ac7ecd89af4 (diff) | |
download | op-kernel-dev-b49d3c1e1c948d76d64790abe9acffa9fa747d19.zip op-kernel-dev-b49d3c1e1c948d76d64790abe9acffa9fa747d19.tar.gz |
net: ipmr: limit MRT_TABLE identifiers
Name of pimreg devices are built from following format :
char name[IFNAMSIZ]; // IFNAMSIZ == 16
sprintf(name, "pimreg%u", mrt->id);
We must therefore limit mrt->id to 9 decimal digits
or risk a buffer overflow and a crash.
Restrict table identifiers in [0 ... 999999999] interval.
Reported-by: Chen Gang <gang.chen@asianux.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r-- | net/ipv4/ipmr.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c index 6168c4d..3eab2b2 100644 --- a/net/ipv4/ipmr.c +++ b/net/ipv4/ipmr.c @@ -1318,6 +1318,10 @@ int ip_mroute_setsockopt(struct sock *sk, int optname, char __user *optval, unsi if (get_user(v, (u32 __user *)optval)) return -EFAULT; + /* "pimreg%u" should not exceed 16 bytes (IFNAMSIZ) */ + if (v != RT_TABLE_DEFAULT && v >= 1000000000) + return -EINVAL; + rtnl_lock(); ret = 0; if (sk == rtnl_dereference(mrt->mroute_sk)) { |