diff options
author | Eric Dumazet <edumazet@google.com> | 2012-11-25 10:44:29 +0100 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2012-11-26 23:36:59 +0100 |
commit | b49d3c1e1c948d76d64790abe9acffa9fa747d19 (patch) | |
tree | df232ca487f9abb44f5be051addfe7bc8d96f484 /net/ipv4/ipmr.c | |
parent | ipv4: avoid passing NULL to inet_putpeer() in icmpv4_xrlim_allow() (diff) | |
download | linux-b49d3c1e1c948d76d64790abe9acffa9fa747d19.tar.xz linux-b49d3c1e1c948d76d64790abe9acffa9fa747d19.zip |
net: ipmr: limit MRT_TABLE identifiers
Name of pimreg devices are built from following format :
char name[IFNAMSIZ]; // IFNAMSIZ == 16
sprintf(name, "pimreg%u", mrt->id);
We must therefore limit mrt->id to 9 decimal digits
or risk a buffer overflow and a crash.
Restrict table identifiers in [0 ... 999999999] interval.
Reported-by: Chen Gang <gang.chen@asianux.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to '')
-rw-r--r-- | net/ipv4/ipmr.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c index 6168c4dc58b1..3eab2b2ffd34 100644 --- a/net/ipv4/ipmr.c +++ b/net/ipv4/ipmr.c @@ -1318,6 +1318,10 @@ int ip_mroute_setsockopt(struct sock *sk, int optname, char __user *optval, unsi if (get_user(v, (u32 __user *)optval)) return -EFAULT; + /* "pimreg%u" should not exceed 16 bytes (IFNAMSIZ) */ + if (v != RT_TABLE_DEFAULT && v >= 1000000000) + return -EINVAL; + rtnl_lock(); ret = 0; if (sk == rtnl_dereference(mrt->mroute_sk)) { |