diff options
author | Eric Dumazet <dada1@cosmosbay.com> | 2008-11-11 00:43:08 -0500 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2008-11-11 00:43:08 -0500 |
commit | b971e7ac834e9f4bda96d5a96ae9abccd01c1dd8 (patch) | |
tree | 35c8712758f3113030da5e3a295fe9f8c4b70d25 /net | |
parent | 013cd397532e5803a1625954a884d021653da720 (diff) |
net: fix /proc/net/snmp as memory corruptor
icmpmsg_put() can happily corrupt kernel memory, using a static
table and forgetting to reset an array index in a loop.
Remove the static array since its not safe without proper locking.
Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
Signed-off-by: Eric Dumazet <dada1@cosmosbay.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
-rw-r--r-- | net/ipv4/proc.c | 58 |
1 files changed, 30 insertions, 28 deletions
diff --git a/net/ipv4/proc.c b/net/ipv4/proc.c index 8f5a403f6f6b..a631a1f110ca 100644 --- a/net/ipv4/proc.c +++ b/net/ipv4/proc.c | |||
@@ -237,43 +237,45 @@ static const struct snmp_mib snmp4_net_list[] = { | |||
237 | SNMP_MIB_SENTINEL | 237 | SNMP_MIB_SENTINEL |
238 | }; | 238 | }; |
239 | 239 | ||
240 | static void icmpmsg_put_line(struct seq_file *seq, unsigned long *vals, | ||
241 | unsigned short *type, int count) | ||
242 | { | ||
243 | int j; | ||
244 | |||
245 | if (count) { | ||
246 | seq_printf(seq, "\nIcmpMsg:"); | ||
247 | for (j = 0; j < count; ++j) | ||
248 | seq_printf(seq, " %sType%u", | ||
249 | type[j] & 0x100 ? "Out" : "In", | ||
250 | type[j] & 0xff); | ||
251 | seq_printf(seq, "\nIcmpMsg:"); | ||
252 | for (j = 0; j < count; ++j) | ||
253 | seq_printf(seq, " %lu", vals[j]); | ||
254 | } | ||
255 | } | ||
256 | |||
240 | static void icmpmsg_put(struct seq_file *seq) | 257 | static void icmpmsg_put(struct seq_file *seq) |
241 | { | 258 | { |
242 | #define PERLINE 16 | 259 | #define PERLINE 16 |
243 | 260 | ||
244 | int j, i, count; | 261 | int i, count; |
245 | static int out[PERLINE]; | 262 | unsigned short type[PERLINE]; |
263 | unsigned long vals[PERLINE], val; | ||
246 | struct net *net = seq->private; | 264 | struct net *net = seq->private; |
247 | 265 | ||
248 | count = 0; | 266 | count = 0; |
249 | for (i = 0; i < ICMPMSG_MIB_MAX; i++) { | 267 | for (i = 0; i < ICMPMSG_MIB_MAX; i++) { |
250 | 268 | val = snmp_fold_field((void **) net->mib.icmpmsg_statistics, i); | |
251 | if (snmp_fold_field((void **) net->mib.icmpmsg_statistics, i)) | 269 | if (val) { |
252 | out[count++] = i; | 270 | type[count] = i; |
253 | if (count < PERLINE) | 271 | vals[count++] = val; |
254 | continue; | 272 | } |
255 | 273 | if (count == PERLINE) { | |
256 | seq_printf(seq, "\nIcmpMsg:"); | 274 | icmpmsg_put_line(seq, vals, type, count); |
257 | for (j = 0; j < PERLINE; ++j) | 275 | count = 0; |
258 | seq_printf(seq, " %sType%u", i & 0x100 ? "Out" : "In", | 276 | } |
259 | i & 0xff); | ||
260 | seq_printf(seq, "\nIcmpMsg: "); | ||
261 | for (j = 0; j < PERLINE; ++j) | ||
262 | seq_printf(seq, " %lu", | ||
263 | snmp_fold_field((void **) net->mib.icmpmsg_statistics, | ||
264 | out[j])); | ||
265 | seq_putc(seq, '\n'); | ||
266 | } | ||
267 | if (count) { | ||
268 | seq_printf(seq, "\nIcmpMsg:"); | ||
269 | for (j = 0; j < count; ++j) | ||
270 | seq_printf(seq, " %sType%u", out[j] & 0x100 ? "Out" : | ||
271 | "In", out[j] & 0xff); | ||
272 | seq_printf(seq, "\nIcmpMsg:"); | ||
273 | for (j = 0; j < count; ++j) | ||
274 | seq_printf(seq, " %lu", snmp_fold_field((void **) | ||
275 | net->mib.icmpmsg_statistics, out[j])); | ||
276 | } | 277 | } |
278 | icmpmsg_put_line(seq, vals, type, count); | ||
277 | 279 | ||
278 | #undef PERLINE | 280 | #undef PERLINE |
279 | } | 281 | } |