Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm-4.19 / 5e1f54201cb481f40a04bc47e1bc8c093a189e23
commit5e1f54201cb481f40a04bc47e1bc8c093a189e23[log] [tgz]
authorNeal Cardwell <ncardwell@google.com>Sun Dec 09 11:09:54 2012 +0000
committerDavid S. Miller <davem@davemloft.net>Sun Dec 09 19:00:48 2012 -0500
treef5fa04ab4f52467197692f6ddf3cb56d5908595e
parentf67caec9068cee426ec23cf9005a1dee2ecad187 [diff]
inet_diag: validate port comparison byte code to prevent unsafe reads

Add logic to verify that a port comparison byte code operation
actually has the second inet_diag_bc_op from which we read the port
for such operations.

Previously the code blindly referenced op[1] without first checking
whether a second inet_diag_bc_op struct could fit there. So a
malicious user could make the kernel read 4 bytes beyond the end of
the bytecode array by claiming to have a whole port comparison byte
code (2 inet_diag_bc_op structs) when in fact the bytecode was not
long enough to hold both.

Signed-off-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
1 file changed
tree: f5fa04ab4f52467197692f6ddf3cb56d5908595e
  1. arch/
  2. block/
  3. crypto/
  4. Documentation/
  5. drivers/
  6. firmware/
  7. fs/
  8. include/
  9. init/
  10. ipc/
  11. kernel/
  12. lib/
  13. mm/
  14. net/
  15. samples/
  16. scripts/
  17. security/
  18. sound/
  19. tools/
  20. usr/
  21. virt/
  22. .gitignore
  23. .mailmap
  24. COPYING
  25. CREDITS
  26. Kbuild
  27. Kconfig
  28. MAINTAINERS
  29. Makefile
  30. README
  31. REPORTING-BUGS