diff options
| author | Neal Cardwell <ncardwell@google.com> | 2012-12-08 19:43:22 +0000 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2012-12-09 18:59:37 -0500 |
| commit | 405c005949e47b6e91359159c24753519ded0c67 (patch) | |
| tree | 0bc2ce5536a6c72a668319559099b2b3fad1debe /net/caif/cfdgml.c | |
| parent | 1c95df85ca49640576de2f0a850925957b547b84 (diff) | |
| download | linux-405c005949e47b6e91359159c24753519ded0c67.tar.bz2 | |
inet_diag: validate byte code to prevent oops in inet_diag_bc_run()
Add logic to validate INET_DIAG_BC_S_COND and INET_DIAG_BC_D_COND
operations.
Previously we did not validate the inet_diag_hostcond, address family,
address length, and prefix length. So a malicious user could make the
kernel read beyond the end of the bytecode array by claiming to have a
whole inet_diag_hostcond when the bytecode was not long enough to
contain a whole inet_diag_hostcond of the given address family. Or
they could make the kernel read up to about 27 bytes beyond the end of
a connection address by passing a prefix length that exceeded the
length of addresses of the given family.
Signed-off-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/caif/cfdgml.c')
0 files changed, 0 insertions, 0 deletions