aboutsummaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorEric Dumazet <dada1@cosmosbay.com>2008-11-11 00:43:08 -0500
committerDavid S. Miller <davem@davemloft.net>2008-11-11 00:43:08 -0500
commitb971e7ac834e9f4bda96d5a96ae9abccd01c1dd8 (patch)
tree35c8712758f3113030da5e3a295fe9f8c4b70d25 /net
parent013cd397532e5803a1625954a884d021653da720 (diff)
net: fix /proc/net/snmp as memory corruptor
icmpmsg_put() can happily corrupt kernel memory, using a static table and forgetting to reset an array index in a loop. Remove the static array since its not safe without proper locking. Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: Eric Dumazet <dada1@cosmosbay.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
-rw-r--r--net/ipv4/proc.c58
1 files changed, 30 insertions, 28 deletions
diff --git a/net/ipv4/proc.c b/net/ipv4/proc.c
index 8f5a403f6f6b..a631a1f110ca 100644
--- a/net/ipv4/proc.c
+++ b/net/ipv4/proc.c
@@ -237,43 +237,45 @@ static const struct snmp_mib snmp4_net_list[] = {
237 SNMP_MIB_SENTINEL 237 SNMP_MIB_SENTINEL
238}; 238};
239 239
240static void icmpmsg_put_line(struct seq_file *seq, unsigned long *vals,
241 unsigned short *type, int count)
242{
243 int j;
244
245 if (count) {
246 seq_printf(seq, "\nIcmpMsg:");
247 for (j = 0; j < count; ++j)
248 seq_printf(seq, " %sType%u",
249 type[j] & 0x100 ? "Out" : "In",
250 type[j] & 0xff);
251 seq_printf(seq, "\nIcmpMsg:");
252 for (j = 0; j < count; ++j)
253 seq_printf(seq, " %lu", vals[j]);
254 }
255}
256
240static void icmpmsg_put(struct seq_file *seq) 257static void icmpmsg_put(struct seq_file *seq)
241{ 258{
242#define PERLINE 16 259#define PERLINE 16
243 260
244 int j, i, count; 261 int i, count;
245 static int out[PERLINE]; 262 unsigned short type[PERLINE];
263 unsigned long vals[PERLINE], val;
246 struct net *net = seq->private; 264 struct net *net = seq->private;
247 265
248 count = 0; 266 count = 0;
249 for (i = 0; i < ICMPMSG_MIB_MAX; i++) { 267 for (i = 0; i < ICMPMSG_MIB_MAX; i++) {
250 268 val = snmp_fold_field((void **) net->mib.icmpmsg_statistics, i);
251 if (snmp_fold_field((void **) net->mib.icmpmsg_statistics, i)) 269 if (val) {
252 out[count++] = i; 270 type[count] = i;
253 if (count < PERLINE) 271 vals[count++] = val;
254 continue; 272 }
255 273 if (count == PERLINE) {
256 seq_printf(seq, "\nIcmpMsg:"); 274 icmpmsg_put_line(seq, vals, type, count);
257 for (j = 0; j < PERLINE; ++j) 275 count = 0;
258 seq_printf(seq, " %sType%u", i & 0x100 ? "Out" : "In", 276 }
259 i & 0xff);
260 seq_printf(seq, "\nIcmpMsg: ");
261 for (j = 0; j < PERLINE; ++j)
262 seq_printf(seq, " %lu",
263 snmp_fold_field((void **) net->mib.icmpmsg_statistics,
264 out[j]));
265 seq_putc(seq, '\n');
266 }
267 if (count) {
268 seq_printf(seq, "\nIcmpMsg:");
269 for (j = 0; j < count; ++j)
270 seq_printf(seq, " %sType%u", out[j] & 0x100 ? "Out" :
271 "In", out[j] & 0xff);
272 seq_printf(seq, "\nIcmpMsg:");
273 for (j = 0; j < count; ++j)
274 seq_printf(seq, " %lu", snmp_fold_field((void **)
275 net->mib.icmpmsg_statistics, out[j]));
276 } 277 }
278 icmpmsg_put_line(seq, vals, type, count);
277 279
278#undef PERLINE 280#undef PERLINE
279} 281}