diff options
| author | Francesco Fusco <ffusco@redhat.com> | 2013-07-24 04:39:06 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2013-07-26 17:22:10 -0400 |
| commit | 555445cd11803c6bc93b2be31968f3949ef7708b (patch) | |
| tree | 93fdd168676eac5f02b1f4ee349247a3aa8332b3 /net | |
| parent | 111cc5da2a95568ca20a5f86f43ae328c069e455 (diff) | |
neigh: prevent overflowing params in /proc/sys/net/ipv4/neigh/
Without this patch, the fields app_solicit, gc_thresh1, gc_thresh2,
gc_thresh3, proxy_qlen, ucast_solicit, mcast_solicit could have
assumed negative values when setting large numbers.
Signed-off-by: Francesco Fusco <ffusco@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
| -rw-r--r-- | net/core/neighbour.c | 29 |
1 files changed, 22 insertions, 7 deletions
diff --git a/net/core/neighbour.c b/net/core/neighbour.c index b7de821f98df..9232c68941ab 100644 --- a/net/core/neighbour.c +++ b/net/core/neighbour.c | |||
| @@ -2767,6 +2767,7 @@ EXPORT_SYMBOL(neigh_app_ns); | |||
| 2767 | 2767 | ||
| 2768 | #ifdef CONFIG_SYSCTL | 2768 | #ifdef CONFIG_SYSCTL |
| 2769 | static int zero; | 2769 | static int zero; |
| 2770 | static int int_max = INT_MAX; | ||
| 2770 | static int unres_qlen_max = INT_MAX / SKB_TRUESIZE(ETH_FRAME_LEN); | 2771 | static int unres_qlen_max = INT_MAX / SKB_TRUESIZE(ETH_FRAME_LEN); |
| 2771 | 2772 | ||
| 2772 | static int proc_unres_qlen(struct ctl_table *ctl, int write, | 2773 | static int proc_unres_qlen(struct ctl_table *ctl, int write, |
| @@ -2819,19 +2820,25 @@ static struct neigh_sysctl_table { | |||
| 2819 | .procname = "mcast_solicit", | 2820 | .procname = "mcast_solicit", |
| 2820 | .maxlen = sizeof(int), | 2821 | .maxlen = sizeof(int), |
| 2821 | .mode = 0644, | 2822 | .mode = 0644, |
| 2822 | .proc_handler = proc_dointvec, | 2823 | .extra1 = &zero, |
| 2824 | .extra2 = &int_max, | ||
| 2825 | .proc_handler = proc_dointvec_minmax, | ||
| 2823 | }, | 2826 | }, |
| 2824 | [NEIGH_VAR_UCAST_PROBE] = { | 2827 | [NEIGH_VAR_UCAST_PROBE] = { |
| 2825 | .procname = "ucast_solicit", | 2828 | .procname = "ucast_solicit", |
| 2826 | .maxlen = sizeof(int), | 2829 | .maxlen = sizeof(int), |
| 2827 | .mode = 0644, | 2830 | .mode = 0644, |
| 2828 | .proc_handler = proc_dointvec, | 2831 | .extra1 = &zero, |
| 2832 | .extra2 = &int_max, | ||
| 2833 | .proc_handler = proc_dointvec_minmax, | ||
| 2829 | }, | 2834 | }, |
| 2830 | [NEIGH_VAR_APP_PROBE] = { | 2835 | [NEIGH_VAR_APP_PROBE] = { |
| 2831 | .procname = "app_solicit", | 2836 | .procname = "app_solicit", |
| 2832 | .maxlen = sizeof(int), | 2837 | .maxlen = sizeof(int), |
| 2833 | .mode = 0644, | 2838 | .mode = 0644, |
| 2834 | .proc_handler = proc_dointvec, | 2839 | .extra1 = &zero, |
| 2840 | .extra2 = &int_max, | ||
| 2841 | .proc_handler = proc_dointvec_minmax, | ||
| 2835 | }, | 2842 | }, |
| 2836 | [NEIGH_VAR_RETRANS_TIME] = { | 2843 | [NEIGH_VAR_RETRANS_TIME] = { |
| 2837 | .procname = "retrans_time", | 2844 | .procname = "retrans_time", |
| @@ -2874,7 +2881,9 @@ static struct neigh_sysctl_table { | |||
| 2874 | .procname = "proxy_qlen", | 2881 | .procname = "proxy_qlen", |
| 2875 | .maxlen = sizeof(int), | 2882 | .maxlen = sizeof(int), |
| 2876 | .mode = 0644, | 2883 | .mode = 0644, |
| 2877 | .proc_handler = proc_dointvec, | 2884 | .extra1 = &zero, |
| 2885 | .extra2 = &int_max, | ||
| 2886 | .proc_handler = proc_dointvec_minmax, | ||
| 2878 | }, | 2887 | }, |
| 2879 | [NEIGH_VAR_ANYCAST_DELAY] = { | 2888 | [NEIGH_VAR_ANYCAST_DELAY] = { |
| 2880 | .procname = "anycast_delay", | 2889 | .procname = "anycast_delay", |
| @@ -2916,19 +2925,25 @@ static struct neigh_sysctl_table { | |||
| 2916 | .procname = "gc_thresh1", | 2925 | .procname = "gc_thresh1", |
| 2917 | .maxlen = sizeof(int), | 2926 | .maxlen = sizeof(int), |
| 2918 | .mode = 0644, | 2927 | .mode = 0644, |
| 2919 | .proc_handler = proc_dointvec, | 2928 | .extra1 = &zero, |
| 2929 | .extra2 = &int_max, | ||
| 2930 | .proc_handler = proc_dointvec_minmax, | ||
| 2920 | }, | 2931 | }, |
| 2921 | [NEIGH_VAR_GC_THRESH2] = { | 2932 | [NEIGH_VAR_GC_THRESH2] = { |
| 2922 | .procname = "gc_thresh2", | 2933 | .procname = "gc_thresh2", |
| 2923 | .maxlen = sizeof(int), | 2934 | .maxlen = sizeof(int), |
| 2924 | .mode = 0644, | 2935 | .mode = 0644, |
| 2925 | .proc_handler = proc_dointvec, | 2936 | .extra1 = &zero, |
| 2937 | .extra2 = &int_max, | ||
| 2938 | .proc_handler = proc_dointvec_minmax, | ||
| 2926 | }, | 2939 | }, |
| 2927 | [NEIGH_VAR_GC_THRESH3] = { | 2940 | [NEIGH_VAR_GC_THRESH3] = { |
| 2928 | .procname = "gc_thresh3", | 2941 | .procname = "gc_thresh3", |
| 2929 | .maxlen = sizeof(int), | 2942 | .maxlen = sizeof(int), |
| 2930 | .mode = 0644, | 2943 | .mode = 0644, |
| 2931 | .proc_handler = proc_dointvec, | 2944 | .extra1 = &zero, |
| 2945 | .extra2 = &int_max, | ||
| 2946 | .proc_handler = proc_dointvec_minmax, | ||
| 2932 | }, | 2947 | }, |
| 2933 | {}, | 2948 | {}, |
| 2934 | }, | 2949 | }, |