diff options
author | Neal Cardwell | 2012-12-09 12:09:54 +0100 |
---|---|---|
committer | David S. Miller | 2012-12-10 01:00:48 +0100 |
commit | 5e1f54201cb481f40a04bc47e1bc8c093a189e23 (patch) | |
tree | f5fa04ab4f52467197692f6ddf3cb56d5908595e /net/ipv4/ip_fragment.c | |
parent | inet_diag: avoid unsafe and nonsensical prefix matches in inet_diag_bc_run() (diff) | |
download | kernel-qcow2-linux-5e1f54201cb481f40a04bc47e1bc8c093a189e23.tar.gz kernel-qcow2-linux-5e1f54201cb481f40a04bc47e1bc8c093a189e23.tar.xz kernel-qcow2-linux-5e1f54201cb481f40a04bc47e1bc8c093a189e23.zip |
inet_diag: validate port comparison byte code to prevent unsafe reads
Add logic to verify that a port comparison byte code operation
actually has the second inet_diag_bc_op from which we read the port
for such operations.
Previously the code blindly referenced op[1] without first checking
whether a second inet_diag_bc_op struct could fit there. So a
malicious user could make the kernel read 4 bytes beyond the end of
the bytecode array by claiming to have a whole port comparison byte
code (2 inet_diag_bc_op structs) when in fact the bytecode was not
long enough to hold both.
Signed-off-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv4/ip_fragment.c')
0 files changed, 0 insertions, 0 deletions