| リビジョン | a86164be2f5448d27c2ae9eaf69ce21ea2dec33d (tree) |
|---|---|
| 日時 | 2007-04-15 00:39:47 |
| 作者 | Willy Tarreau <w@1wt....> |
| コミッター | Willy Tarreau |
[DECNet] fib: Fix out of bound access of dn_fib_props[]
Backported from 2.6. Found and fixed from Thomas Graf :
Fixes a typo which caused fib_props[] to have the wrong size
and makes sure the value used to index the array which is
provided by userspace via netlink is checked to avoid out of
bound access.
Signed-off-by: Thomas Graf <tgraf@suug.ch>
net/decnet/dn_fib.c (diff)| @@ -61,7 +61,7 @@ static struct | ||
| 61 | 61 | { |
| 62 | 62 | int error; |
| 63 | 63 | u8 scope; |
| 64 | -} dn_fib_props[RTA_MAX+1] = { | |
| 64 | +} dn_fib_props[RTN_MAX+1] = { | |
| 65 | 65 | { 0, RT_SCOPE_NOWHERE }, /* RTN_UNSPEC */ |
| 66 | 66 | { 0, RT_SCOPE_UNIVERSE }, /* RTN_UNICAST */ |
| 67 | 67 | { 0, RT_SCOPE_HOST }, /* RTN_LOCAL */ |
| @@ -257,6 +257,9 @@ struct dn_fib_info *dn_fib_create_info(const struct rtmsg *r, struct dn_kern_rta | ||
| 257 | 257 | struct dn_fib_info *ofi; |
| 258 | 258 | int nhs = 1; |
| 259 | 259 | |
| 260 | + if (r->rtm_type > RTN_MAX) | |
| 261 | + goto err_inval; | |
| 262 | + | |
| 260 | 263 | if (dn_fib_props[r->rtm_type].scope > r->rtm_scope) |
| 261 | 264 | goto err_inval; |
| 262 | 265 |
Linux Kernel Documents
Fork