* [PATCH] ip maddr show” on an infiniband address causes a stack corruption
@ 2008-11-25 12:36 Olivier Fourdan
0 siblings, 0 replies; only message in thread
From: Olivier Fourdan @ 2008-11-25 12:36 UTC (permalink / raw)
To: netdev
[-- Attachment #1: Type: text/plain, Size: 529 bytes --]
Hi,
“ip maddr show” on an infiniband address causes a stack corruption
because the length of the address for Infiniband (20 bytes, as
described in kernel doc Documentation/infiniband/ipoib.txt) does not
fit on the 16 bytes of the field in which it gets stored.
The proposed patch increases the size of the hardware address from 4
__u32 to 8 and also adds a check to avoid overriding the available
size while parsing the hardware address.
This bug affects current upstream code AFAICT.
Hope this helps,
Cheers,
Olivier.
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: iproute2-2.6.26-check-hwaddr-size.patch --]
[-- Type: text/x-patch; name="iproute2-2.6.26-check-hwaddr-size.patch", Size: 1815 bytes --]
“ip maddr show ib0” causes a stack corruption because the length of the address
for Infiniband (20 see kernel doc Documentation/infiniband/ipoib.txt) does not
fit on the 16 bytes of the field in which it gets stored.
The proposed patch increases the size of the hardware address from 4 u32 to 8
and adds a check to avoid overriding the available size while parsing the
hardware address.
This bug affects current upstream code and should be reported upstream.
include/utils.h | 2 +-
ip/ipmaddr.c | 8 ++++----
2 files changed, 5 insertions(+), 5 deletions(-)
--- iproute2-2.6.26/include/utils.h.hwaddrsize 2008-11-25 11:02:30.000000000 +0000
+++ iproute2-2.6.26/include/utils.h 2008-11-25 11:08:28.000000000 +0000
@@ -46,7 +46,7 @@
__u8 bytelen;
__s16 bitlen;
__u32 flags;
- __u32 data[4];
+ __u32 data[8];
} inet_prefix;
#define PREFIXLEN_SPECIFIED 1
--- iproute2-2.6.26/ip/ipmaddr.c.hwaddrsize 2008-11-25 11:02:51.000000000 +0000
+++ iproute2-2.6.26/ip/ipmaddr.c 2008-11-25 11:08:26.000000000 +0000
@@ -43,11 +43,11 @@
exit(-1);
}
-static int parse_hex(char *str, unsigned char *addr)
+static int parse_hex(char *str, unsigned char *addr, size_t size)
{
int len=0;
- while (*str) {
+ while (*str && (len < 2 * size)) {
int tmp;
if (str[1] == 0)
return -1;
@@ -104,7 +104,7 @@
m.addr.family = AF_PACKET;
- len = parse_hex(hexa, (unsigned char*)&m.addr.data);
+ len = parse_hex(hexa, (unsigned char*)&m.addr.data, sizeof (m.addr.data));
if (len >= 0) {
struct ma_info *ma = malloc(sizeof(m));
@@ -176,7 +176,7 @@
m.addr.family = AF_INET6;
- len = parse_hex(hexa, (unsigned char*)&m.addr.data);
+ len = parse_hex(hexa, (unsigned char*)&m.addr.data, sizeof (m.addr.data));
if (len >= 0) {
struct ma_info *ma = malloc(sizeof(m));
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2008-11-25 12:36 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-11-25 12:36 [PATCH] ip maddr show” on an infiniband address causes a stack corruption Olivier Fourdan
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.