summaryrefslogtreecommitdiffstats
path: root/net/ipv4/ipmr.c
diff options
context:
space:
mode:
authorEric Dumazet <edumazet@google.com>2012-11-25 10:44:29 +0100
committerDavid S. Miller <davem@davemloft.net>2012-11-26 23:36:59 +0100
commitb49d3c1e1c948d76d64790abe9acffa9fa747d19 (patch)
treedf232ca487f9abb44f5be051addfe7bc8d96f484 /net/ipv4/ipmr.c
parentipv4: avoid passing NULL to inet_putpeer() in icmpv4_xrlim_allow() (diff)
downloadlinux-b49d3c1e1c948d76d64790abe9acffa9fa747d19.tar.xz
linux-b49d3c1e1c948d76d64790abe9acffa9fa747d19.zip
net: ipmr: limit MRT_TABLE identifiers
Name of pimreg devices are built from following format : char name[IFNAMSIZ]; // IFNAMSIZ == 16 sprintf(name, "pimreg%u", mrt->id); We must therefore limit mrt->id to 9 decimal digits or risk a buffer overflow and a crash. Restrict table identifiers in [0 ... 999999999] interval. Reported-by: Chen Gang <gang.chen@asianux.com> Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to '')
-rw-r--r--net/ipv4/ipmr.c4
1 files changed, 4 insertions, 0 deletions
diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c
index 6168c4dc58b1..3eab2b2ffd34 100644
--- a/net/ipv4/ipmr.c
+++ b/net/ipv4/ipmr.c
@@ -1318,6 +1318,10 @@ int ip_mroute_setsockopt(struct sock *sk, int optname, char __user *optval, unsi
if (get_user(v, (u32 __user *)optval))
return -EFAULT;
+ /* "pimreg%u" should not exceed 16 bytes (IFNAMSIZ) */
+ if (v != RT_TABLE_DEFAULT && v >= 1000000000)
+ return -EINVAL;
+
rtnl_lock();
ret = 0;
if (sk == rtnl_dereference(mrt->mroute_sk)) {