diff options
| author | Arjan van de Ven <arjan@linux.intel.com> | 2010-01-04 10:37:12 -0500 |
|---|---|---|
| committer | Patrick McHardy <kaber@trash.net> | 2010-01-04 10:37:12 -0500 |
| commit | 04bcef2a83f40c6db24222b27a52892cba39dffb (patch) | |
| tree | 0fdd15422ad26fa2b49f0712c73495477ed8b838 /net/netfilter | |
| parent | ae24e578de02b87cce3dc59248c29b2ecb071e9e (diff) | |
ipvs: Add boundary check on ioctl arguments
The ipvs code has a nifty system for doing the size of ioctl command
copies; it defines an array with values into which it indexes the cmd
to find the right length.
Unfortunately, the ipvs code forgot to check if the cmd was in the
range that the array provides, allowing for an index outside of the
array, which then gives a "garbage" result into the length, which
then gets used for copying into a stack buffer.
Fix this by adding sanity checks on these as well as the copy size.
[ horms@verge.net.au: adjusted limit to IP_VS_SO_GET_MAX ]
Signed-off-by: Arjan van de Ven <arjan@linux.intel.com>
Acked-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Simon Horman <horms@verge.net.au>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Diffstat (limited to 'net/netfilter')
| -rw-r--r-- | net/netfilter/ipvs/ip_vs_ctl.c | 14 |
1 files changed, 13 insertions, 1 deletions
diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c index 6bde12da2fe0..c37ac2d7bec4 100644 --- a/net/netfilter/ipvs/ip_vs_ctl.c +++ b/net/netfilter/ipvs/ip_vs_ctl.c | |||
| @@ -2077,6 +2077,10 @@ do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len) | |||
| 2077 | if (!capable(CAP_NET_ADMIN)) | 2077 | if (!capable(CAP_NET_ADMIN)) |
| 2078 | return -EPERM; | 2078 | return -EPERM; |
| 2079 | 2079 | ||
| 2080 | if (cmd < IP_VS_BASE_CTL || cmd > IP_VS_SO_SET_MAX) | ||
| 2081 | return -EINVAL; | ||
| 2082 | if (len < 0 || len > MAX_ARG_LEN) | ||
| 2083 | return -EINVAL; | ||
| 2080 | if (len != set_arglen[SET_CMDID(cmd)]) { | 2084 | if (len != set_arglen[SET_CMDID(cmd)]) { |
| 2081 | pr_err("set_ctl: len %u != %u\n", | 2085 | pr_err("set_ctl: len %u != %u\n", |
| 2082 | len, set_arglen[SET_CMDID(cmd)]); | 2086 | len, set_arglen[SET_CMDID(cmd)]); |
| @@ -2352,17 +2356,25 @@ do_ip_vs_get_ctl(struct sock *sk, int cmd, void __user *user, int *len) | |||
| 2352 | { | 2356 | { |
| 2353 | unsigned char arg[128]; | 2357 | unsigned char arg[128]; |
| 2354 | int ret = 0; | 2358 | int ret = 0; |
| 2359 | unsigned int copylen; | ||
| 2355 | 2360 | ||
| 2356 | if (!capable(CAP_NET_ADMIN)) | 2361 | if (!capable(CAP_NET_ADMIN)) |
| 2357 | return -EPERM; | 2362 | return -EPERM; |
| 2358 | 2363 | ||
| 2364 | if (cmd < IP_VS_BASE_CTL || cmd > IP_VS_SO_GET_MAX) | ||
| 2365 | return -EINVAL; | ||
| 2366 | |||
| 2359 | if (*len < get_arglen[GET_CMDID(cmd)]) { | 2367 | if (*len < get_arglen[GET_CMDID(cmd)]) { |
| 2360 | pr_err("get_ctl: len %u < %u\n", | 2368 | pr_err("get_ctl: len %u < %u\n", |
| 2361 | *len, get_arglen[GET_CMDID(cmd)]); | 2369 | *len, get_arglen[GET_CMDID(cmd)]); |
| 2362 | return -EINVAL; | 2370 | return -EINVAL; |
| 2363 | } | 2371 | } |
| 2364 | 2372 | ||
| 2365 | if (copy_from_user(arg, user, get_arglen[GET_CMDID(cmd)]) != 0) | 2373 | copylen = get_arglen[GET_CMDID(cmd)]; |
| 2374 | if (copylen > 128) | ||
| 2375 | return -EINVAL; | ||
| 2376 | |||
| 2377 | if (copy_from_user(arg, user, copylen) != 0) | ||
| 2366 | return -EFAULT; | 2378 | return -EFAULT; |
| 2367 | 2379 | ||
| 2368 | if (mutex_lock_interruptible(&__ip_vs_mutex)) | 2380 | if (mutex_lock_interruptible(&__ip_vs_mutex)) |