inet_diag: validate byte code to prevent oops in inet_diag_bc_run() - linux

diff options

author	Neal Cardwell <ncardwell@google.com>	2012-12-08 19:43:22 +0000
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2013-01-11 09:06:28 -0800
commit	879fc99ecd078f64849b95c47cf7e28705ac8884 (patch)
tree	eb570cc6cfc09defa928478ba30d6718e07a8ab3 /CREDITS
parent	457a04b96314023464f8249975b1efb4eef1c925 (diff)

inet_diag: validate byte code to prevent oops in inet_diag_bc_run()

[ Upstream commit 405c005949e47b6e91359159c24753519ded0c67 ] Add logic to validate INET_DIAG_BC_S_COND and INET_DIAG_BC_D_COND operations. Previously we did not validate the inet_diag_hostcond, address family, address length, and prefix length. So a malicious user could make the kernel read beyond the end of the bytecode array by claiming to have a whole inet_diag_hostcond when the bytecode was not long enough to contain a whole inet_diag_hostcond of the given address family. Or they could make the kernel read up to about 27 bytes beyond the end of a connection address by passing a prefix length that exceeded the length of addresses of the given family. Signed-off-by: Neal Cardwell <ncardwell@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Diffstat (limited to 'CREDITS')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: