diff options
author | Allan Stephens <allan.stephens@windriver.com> | 2008-05-21 17:52:30 -0400 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2008-05-21 17:52:30 -0400 |
commit | 59f0c4523fdea865fab7d69d878269992a9d08dd (patch) | |
tree | 4516d63a1c32fb8e06d0730527f3c54c02df2f87 | |
parent | dc58c78c047fb01f4c13e7de91abc5eb931920b3 (diff) |
tipc: Fix skb_under_panic when configuring TIPC without privileges
This patch prevents a TIPC configuration command requiring network
administrator privileges from triggering an skbuff underrun if it
is issued by a process lacking those privileges. The revised error
handling code avoids the use of a potentially uninitialized global
variable by transforming the unauthorized command into a new command,
then following the standard command processing path to generate the
required error message.
Signed-off-by: Allan Stephens <allan.stephens@windriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r-- | include/linux/tipc_config.h | 10 | ||||
-rw-r--r-- | net/tipc/config.c | 6 | ||||
-rw-r--r-- | net/tipc/netlink.c | 16 |
3 files changed, 23 insertions, 9 deletions
diff --git a/include/linux/tipc_config.h b/include/linux/tipc_config.h index b0c916d1f375..2bc6fa4adeb5 100644 --- a/include/linux/tipc_config.h +++ b/include/linux/tipc_config.h | |||
@@ -2,7 +2,7 @@ | |||
2 | * include/linux/tipc_config.h: Include file for TIPC configuration interface | 2 | * include/linux/tipc_config.h: Include file for TIPC configuration interface |
3 | * | 3 | * |
4 | * Copyright (c) 2003-2006, Ericsson AB | 4 | * Copyright (c) 2003-2006, Ericsson AB |
5 | * Copyright (c) 2005, Wind River Systems | 5 | * Copyright (c) 2005-2007, Wind River Systems |
6 | * All rights reserved. | 6 | * All rights reserved. |
7 | * | 7 | * |
8 | * Redistribution and use in source and binary forms, with or without | 8 | * Redistribution and use in source and binary forms, with or without |
@@ -136,6 +136,14 @@ | |||
136 | #define TIPC_CMD_SET_NETID 0x800B /* tx unsigned, rx none */ | 136 | #define TIPC_CMD_SET_NETID 0x800B /* tx unsigned, rx none */ |
137 | 137 | ||
138 | /* | 138 | /* |
139 | * Reserved commands: | ||
140 | * May not be issued by any process. | ||
141 | * Used internally by TIPC. | ||
142 | */ | ||
143 | |||
144 | #define TIPC_CMD_NOT_NET_ADMIN 0xC001 /* tx none, rx none */ | ||
145 | |||
146 | /* | ||
139 | * TLV types defined for TIPC | 147 | * TLV types defined for TIPC |
140 | */ | 148 | */ |
141 | 149 | ||
diff --git a/net/tipc/config.c b/net/tipc/config.c index 91d56f8fee9f..16e7cb74969b 100644 --- a/net/tipc/config.c +++ b/net/tipc/config.c | |||
@@ -2,7 +2,7 @@ | |||
2 | * net/tipc/config.c: TIPC configuration management code | 2 | * net/tipc/config.c: TIPC configuration management code |
3 | * | 3 | * |
4 | * Copyright (c) 2002-2006, Ericsson AB | 4 | * Copyright (c) 2002-2006, Ericsson AB |
5 | * Copyright (c) 2004-2006, Wind River Systems | 5 | * Copyright (c) 2004-2007, Wind River Systems |
6 | * All rights reserved. | 6 | * All rights reserved. |
7 | * | 7 | * |
8 | * Redistribution and use in source and binary forms, with or without | 8 | * Redistribution and use in source and binary forms, with or without |
@@ -602,6 +602,10 @@ struct sk_buff *tipc_cfg_do_cmd(u32 orig_node, u16 cmd, const void *request_area | |||
602 | case TIPC_CMD_GET_NETID: | 602 | case TIPC_CMD_GET_NETID: |
603 | rep_tlv_buf = tipc_cfg_reply_unsigned(tipc_net_id); | 603 | rep_tlv_buf = tipc_cfg_reply_unsigned(tipc_net_id); |
604 | break; | 604 | break; |
605 | case TIPC_CMD_NOT_NET_ADMIN: | ||
606 | rep_tlv_buf = | ||
607 | tipc_cfg_reply_error_string(TIPC_CFG_NOT_NET_ADMIN); | ||
608 | break; | ||
605 | default: | 609 | default: |
606 | rep_tlv_buf = tipc_cfg_reply_error_string(TIPC_CFG_NOT_SUPPORTED | 610 | rep_tlv_buf = tipc_cfg_reply_error_string(TIPC_CFG_NOT_SUPPORTED |
607 | " (unknown command)"); | 611 | " (unknown command)"); |
diff --git a/net/tipc/netlink.c b/net/tipc/netlink.c index 6a7f7b4c2595..c387217bb230 100644 --- a/net/tipc/netlink.c +++ b/net/tipc/netlink.c | |||
@@ -2,7 +2,7 @@ | |||
2 | * net/tipc/netlink.c: TIPC configuration handling | 2 | * net/tipc/netlink.c: TIPC configuration handling |
3 | * | 3 | * |
4 | * Copyright (c) 2005-2006, Ericsson AB | 4 | * Copyright (c) 2005-2006, Ericsson AB |
5 | * Copyright (c) 2005, Wind River Systems | 5 | * Copyright (c) 2005-2007, Wind River Systems |
6 | * All rights reserved. | 6 | * All rights reserved. |
7 | * | 7 | * |
8 | * Redistribution and use in source and binary forms, with or without | 8 | * Redistribution and use in source and binary forms, with or without |
@@ -45,15 +45,17 @@ static int handle_cmd(struct sk_buff *skb, struct genl_info *info) | |||
45 | struct nlmsghdr *req_nlh = info->nlhdr; | 45 | struct nlmsghdr *req_nlh = info->nlhdr; |
46 | struct tipc_genlmsghdr *req_userhdr = info->userhdr; | 46 | struct tipc_genlmsghdr *req_userhdr = info->userhdr; |
47 | int hdr_space = NLMSG_SPACE(GENL_HDRLEN + TIPC_GENL_HDRLEN); | 47 | int hdr_space = NLMSG_SPACE(GENL_HDRLEN + TIPC_GENL_HDRLEN); |
48 | u16 cmd; | ||
48 | 49 | ||
49 | if ((req_userhdr->cmd & 0xC000) && (!capable(CAP_NET_ADMIN))) | 50 | if ((req_userhdr->cmd & 0xC000) && (!capable(CAP_NET_ADMIN))) |
50 | rep_buf = tipc_cfg_reply_error_string(TIPC_CFG_NOT_NET_ADMIN); | 51 | cmd = TIPC_CMD_NOT_NET_ADMIN; |
51 | else | 52 | else |
52 | rep_buf = tipc_cfg_do_cmd(req_userhdr->dest, | 53 | cmd = req_userhdr->cmd; |
53 | req_userhdr->cmd, | 54 | |
54 | NLMSG_DATA(req_nlh) + GENL_HDRLEN + TIPC_GENL_HDRLEN, | 55 | rep_buf = tipc_cfg_do_cmd(req_userhdr->dest, cmd, |
55 | NLMSG_PAYLOAD(req_nlh, GENL_HDRLEN + TIPC_GENL_HDRLEN), | 56 | NLMSG_DATA(req_nlh) + GENL_HDRLEN + TIPC_GENL_HDRLEN, |
56 | hdr_space); | 57 | NLMSG_PAYLOAD(req_nlh, GENL_HDRLEN + TIPC_GENL_HDRLEN), |
58 | hdr_space); | ||
57 | 59 | ||
58 | if (rep_buf) { | 60 | if (rep_buf) { |
59 | skb_push(rep_buf, hdr_space); | 61 | skb_push(rep_buf, hdr_space); |