From: Dan Carpenter <dan.carpenter@oracle.com>
To: Ralf Baechle <ralf@linux-mips.org>
Cc: "David S. Miller" <davem@davemloft.net>,
netdev@vger.kernel.org, linux-hams@vger.kernel.org,
Walter Harms <wharms@bfs.de>,
Thomas Osterried <thomas@osterried.de>
Subject: Re: [PATCH 2/4] NET: NETROM: When adding a route verify length of mnemonic string.
Date: Fri, 25 Nov 2011 14:36:03 +0300 [thread overview]
Message-ID: <20111125113603.GN3258@mwanda> (raw)
In-Reply-To: <cfff1df64b18a89140ff995189c6a3c484815997.1322214950.git.ralf@linux-mips.org>
[-- Attachment #1: Type: text/plain, Size: 897 bytes --]
On Fri, Nov 25, 2011 at 09:08:49AM +0000, Ralf Baechle wrote:
> struct nr_route_struct's mnemonic permits a string of up to 7 bytes to be
> used. If userland passes a not zero terminated string to the kernel adding
> a node to the routing table might result in the kernel attempting to read
> copy a too long string.
>
> Mnemonic is part of the NET/ROM routing protocol; NET/ROM routing table
> updates only broadcast 6 bytes. The 7th byte in the mnemonic array exists
> only as a \0 termination character for the kernel code's convenience.
>
> Fixed by rejecting mnemonic strings that have no terminating \0 in the first
> 7 characters. Do this test only NETROM_NODE to avoid breaking NETROM_NEIGH
> where userland might passing an uninitialized mnemonic field.
Good point... I missed that.
Acked-by: Dan Carpenter <dan.carpenter@oracle.com>
regards,
dan carpenter
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 836 bytes --]
next prev parent reply other threads:[~2011-11-25 11:36 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-11-25 9:55 [PATCH 0/4] AX.25 and NET/ROM fixes and improvments Ralf Baechle
2011-11-24 16:12 ` [PATCH 1/4] NET: AX.25: Check ioctl arguments to avoid overflows further down the road Ralf Baechle
2011-11-29 6:17 ` David Miller
2011-11-25 9:08 ` [PATCH 2/4] NET: NETROM: When adding a route verify length of mnemonic string Ralf Baechle
2011-11-25 11:36 ` Dan Carpenter [this message]
2011-11-29 6:18 ` David Miller
2011-11-25 9:09 ` [PATCH 3/4] NET: NETROM: Cleanup argument SIOCADDRT ioctl argument checking Ralf Baechle
2011-11-25 11:22 ` walter harms
2011-11-25 12:12 ` [PATCH 3/4] NET: NETROM: Cleanup argument SIOCADDRT ioctl argument walter harms
2011-11-25 12:12 ` [PATCH 3/4] NET: NETROM: Cleanup argument SIOCADDRT ioctl argument checking walter harms
2011-11-25 12:12 ` walter harms
2011-11-25 13:26 ` Thomas Osterried
2011-11-25 13:26 ` Thomas Osterried
2011-11-29 6:18 ` David Miller
2011-11-25 9:54 ` [PATCH 4/4] NET: NETROM: Fix formatting Ralf Baechle
2011-11-29 6:18 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20111125113603.GN3258@mwanda \
--to=dan.carpenter@oracle.com \
--cc=davem@davemloft.net \
--cc=linux-hams@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=ralf@linux-mips.org \
--cc=thomas@osterried.de \
--cc=wharms@bfs.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.