diff options
| author | Li Wei <lw@cn.fujitsu.com> | 2012-07-29 12:01:30 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2012-07-30 02:18:31 -0400 |
| commit | 8253947e2cdfb14717c9212b751b7aec9ea9ef5e (patch) | |
| tree | 9089fdfff63ec45eec1cd49d74ca53b3a4096226 /net | |
| parent | b41a9a66f67817f8acd85bd650e012a14da39faa (diff) | |
ipv6: fix incorrect route 'expires' value passed to userspace
When userspace use RTM_GETROUTE to dump route table, with an already
expired route entry, we always got an 'expires' value(2147157)
calculated base on INT_MAX.
The reason of this problem is in the following satement:
rt->dst.expires - jiffies < INT_MAX
gcc promoted the type of both sides of '<' to unsigned long, thus
a small negative value would be considered greater than INT_MAX.
With the help of Eric Dumazet, do the out of bound checks in
rtnl_put_cacheinfo(), _after_ conversion to clock_t.
Signed-off-by: Li Wei <lw@cn.fujitsu.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
| -rw-r--r-- | net/core/rtnetlink.c | 8 | ||||
| -rw-r--r-- | net/ipv6/route.c | 8 |
2 files changed, 8 insertions, 8 deletions
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c index bc9e380f0abf..5ff949dc954f 100644 --- a/net/core/rtnetlink.c +++ b/net/core/rtnetlink.c | |||
| @@ -625,9 +625,13 @@ int rtnl_put_cacheinfo(struct sk_buff *skb, struct dst_entry *dst, u32 id, | |||
| 625 | .rta_id = id, | 625 | .rta_id = id, |
| 626 | }; | 626 | }; |
| 627 | 627 | ||
| 628 | if (expires) | 628 | if (expires) { |
| 629 | ci.rta_expires = jiffies_to_clock_t(expires); | 629 | unsigned long clock; |
| 630 | 630 | ||
| 631 | clock = jiffies_to_clock_t(abs(expires)); | ||
| 632 | clock = min_t(unsigned long, clock, INT_MAX); | ||
| 633 | ci.rta_expires = (expires > 0) ? clock : -clock; | ||
| 634 | } | ||
| 631 | return nla_put(skb, RTA_CACHEINFO, sizeof(ci), &ci); | 635 | return nla_put(skb, RTA_CACHEINFO, sizeof(ci), &ci); |
| 632 | } | 636 | } |
| 633 | EXPORT_SYMBOL_GPL(rtnl_put_cacheinfo); | 637 | EXPORT_SYMBOL_GPL(rtnl_put_cacheinfo); |
diff --git a/net/ipv6/route.c b/net/ipv6/route.c index cf02cb97bbdd..8e80fd279100 100644 --- a/net/ipv6/route.c +++ b/net/ipv6/route.c | |||
| @@ -2480,12 +2480,8 @@ static int rt6_fill_node(struct net *net, | |||
| 2480 | goto nla_put_failure; | 2480 | goto nla_put_failure; |
| 2481 | if (nla_put_u32(skb, RTA_PRIORITY, rt->rt6i_metric)) | 2481 | if (nla_put_u32(skb, RTA_PRIORITY, rt->rt6i_metric)) |
| 2482 | goto nla_put_failure; | 2482 | goto nla_put_failure; |
| 2483 | if (!(rt->rt6i_flags & RTF_EXPIRES)) | 2483 | |
| 2484 | expires = 0; | 2484 | expires = (rt->rt6i_flags & RTF_EXPIRES) ? rt->dst.expires - jiffies : 0; |
| 2485 | else if (rt->dst.expires - jiffies < INT_MAX) | ||
| 2486 | expires = rt->dst.expires - jiffies; | ||
| 2487 | else | ||
| 2488 | expires = INT_MAX; | ||
| 2489 | 2485 | ||
| 2490 | if (rtnl_put_cacheinfo(skb, &rt->dst, 0, expires, rt->dst.error) < 0) | 2486 | if (rtnl_put_cacheinfo(skb, &rt->dst, 0, expires, rt->dst.error) < 0) |
| 2491 | goto nla_put_failure; | 2487 | goto nla_put_failure; |