diff options
| author | Li Wei <lw@cn.fujitsu.com> | 2012-07-29 16:01:30 +0000 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2012-07-29 23:18:31 -0700 |
| commit | 8253947e2cdfb14717c9212b751b7aec9ea9ef5e (patch) | |
| tree | 9089fdfff63ec45eec1cd49d74ca53b3a4096226 /net/core | |
| parent | b41a9a66f67817f8acd85bd650e012a14da39faa (diff) | |
| download | op-kernel-dev-8253947e2cdfb14717c9212b751b7aec9ea9ef5e.zip op-kernel-dev-8253947e2cdfb14717c9212b751b7aec9ea9ef5e.tar.gz | |
ipv6: fix incorrect route 'expires' value passed to userspace
When userspace use RTM_GETROUTE to dump route table, with an already
expired route entry, we always got an 'expires' value(2147157)
calculated base on INT_MAX.
The reason of this problem is in the following satement:
rt->dst.expires - jiffies < INT_MAX
gcc promoted the type of both sides of '<' to unsigned long, thus
a small negative value would be considered greater than INT_MAX.
With the help of Eric Dumazet, do the out of bound checks in
rtnl_put_cacheinfo(), _after_ conversion to clock_t.
Signed-off-by: Li Wei <lw@cn.fujitsu.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/core')
| -rw-r--r-- | net/core/rtnetlink.c | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c index bc9e380..5ff949d 100644 --- a/net/core/rtnetlink.c +++ b/net/core/rtnetlink.c @@ -625,9 +625,13 @@ int rtnl_put_cacheinfo(struct sk_buff *skb, struct dst_entry *dst, u32 id, .rta_id = id, }; - if (expires) - ci.rta_expires = jiffies_to_clock_t(expires); + if (expires) { + unsigned long clock; + clock = jiffies_to_clock_t(abs(expires)); + clock = min_t(unsigned long, clock, INT_MAX); + ci.rta_expires = (expires > 0) ? clock : -clock; + } return nla_put(skb, RTA_CACHEINFO, sizeof(ci), &ci); } EXPORT_SYMBOL_GPL(rtnl_put_cacheinfo); |
