* [PATCH net-next 1/3] pktgen: fix out-of-bounds access in pgctrl_write()
2014-02-21 20:38 [PATCH net-next 0/3] pktgen: small cleanups Mathias Krause
@ 2014-02-21 20:38 ` Mathias Krause
2014-02-21 20:38 ` [PATCH net-next 2/3] pktgen: simplify error handling " Mathias Krause
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: Mathias Krause @ 2014-02-21 20:38 UTC (permalink / raw)
To: David S. Miller; +Cc: netdev, Mathias Krause
If a privileged user writes an empty string to /proc/net/pktgen/pgctrl
the code for stripping the (then non-existent) '\n' actually writes the
zero byte at index -1 of data[]. The then still uninitialized array will
very likely fail the command matching tests and the pr_warning() at the
end will therefore leak stack bytes to the kernel log.
Fix those issues by simply ensuring we're passed a non-empty string as
the user API apparently expects a trailing '\n' for all commands.
Cc: "David S. Miller" <davem@davemloft.net>
Signed-off-by: Mathias Krause <minipli@googlemail.com>
---
net/core/pktgen.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/net/core/pktgen.c b/net/core/pktgen.c
index fdac61cac1..cc07c43494 100644
--- a/net/core/pktgen.c
+++ b/net/core/pktgen.c
@@ -485,6 +485,9 @@ static ssize_t pgctrl_write(struct file *file, const char __user *buf,
goto out;
}
+ if (count == 0)
+ return -EINVAL;
+
if (count > sizeof(data))
count = sizeof(data);
@@ -492,7 +495,7 @@ static ssize_t pgctrl_write(struct file *file, const char __user *buf,
err = -EFAULT;
goto out;
}
- data[count - 1] = 0; /* Make string */
+ data[count - 1] = 0; /* Strip trailing '\n' and terminate string */
if (!strcmp(data, "stop"))
pktgen_stop_all_threads_ifs(pn);
--
1.7.10.4
^ permalink raw reply related [flat|nested] 5+ messages in thread* [PATCH net-next 2/3] pktgen: simplify error handling in pgctrl_write()
2014-02-21 20:38 [PATCH net-next 0/3] pktgen: small cleanups Mathias Krause
2014-02-21 20:38 ` [PATCH net-next 1/3] pktgen: fix out-of-bounds access in pgctrl_write() Mathias Krause
@ 2014-02-21 20:38 ` Mathias Krause
2014-02-21 20:38 ` [PATCH net-next 3/3] pktgen: document all supported flags Mathias Krause
2014-02-24 23:54 ` [PATCH net-next 0/3] pktgen: small cleanups David Miller
3 siblings, 0 replies; 5+ messages in thread
From: Mathias Krause @ 2014-02-21 20:38 UTC (permalink / raw)
To: David S. Miller; +Cc: netdev, Mathias Krause
The 'out' label is just a relict from previous times as pgctrl_write()
had multiple error paths. Get rid of it and simply return right away
on errors.
Cc: "David S. Miller" <davem@davemloft.net>
Signed-off-by: Mathias Krause <minipli@googlemail.com>
---
net/core/pktgen.c | 19 ++++++-------------
1 file changed, 6 insertions(+), 13 deletions(-)
diff --git a/net/core/pktgen.c b/net/core/pktgen.c
index cc07c43494..53c3097117 100644
--- a/net/core/pktgen.c
+++ b/net/core/pktgen.c
@@ -476,14 +476,11 @@ static int pgctrl_show(struct seq_file *seq, void *v)
static ssize_t pgctrl_write(struct file *file, const char __user *buf,
size_t count, loff_t *ppos)
{
- int err = 0;
char data[128];
struct pktgen_net *pn = net_generic(current->nsproxy->net_ns, pg_net_id);
- if (!capable(CAP_NET_ADMIN)) {
- err = -EPERM;
- goto out;
- }
+ if (!capable(CAP_NET_ADMIN))
+ return -EPERM;
if (count == 0)
return -EINVAL;
@@ -491,10 +488,9 @@ static ssize_t pgctrl_write(struct file *file, const char __user *buf,
if (count > sizeof(data))
count = sizeof(data);
- if (copy_from_user(data, buf, count)) {
- err = -EFAULT;
- goto out;
- }
+ if (copy_from_user(data, buf, count))
+ return -EFAULT;
+
data[count - 1] = 0; /* Strip trailing '\n' and terminate string */
if (!strcmp(data, "stop"))
@@ -509,10 +505,7 @@ static ssize_t pgctrl_write(struct file *file, const char __user *buf,
else
pr_warning("Unknown command: %s\n", data);
- err = count;
-
-out:
- return err;
+ return count;
}
static int pgctrl_open(struct inode *inode, struct file *file)
--
1.7.10.4
^ permalink raw reply related [flat|nested] 5+ messages in thread* [PATCH net-next 3/3] pktgen: document all supported flags
2014-02-21 20:38 [PATCH net-next 0/3] pktgen: small cleanups Mathias Krause
2014-02-21 20:38 ` [PATCH net-next 1/3] pktgen: fix out-of-bounds access in pgctrl_write() Mathias Krause
2014-02-21 20:38 ` [PATCH net-next 2/3] pktgen: simplify error handling " Mathias Krause
@ 2014-02-21 20:38 ` Mathias Krause
2014-02-24 23:54 ` [PATCH net-next 0/3] pktgen: small cleanups David Miller
3 siblings, 0 replies; 5+ messages in thread
From: Mathias Krause @ 2014-02-21 20:38 UTC (permalink / raw)
To: David S. Miller; +Cc: netdev, Mathias Krause, Fan Du
The documentation misses a few of the supported flags. Fix this. Also
respect the dependency to CONFIG_XFRM for the IPSEC flag.
Cc: Fan Du <fan.du@windriver.com>
Cc: "David S. Miller" <davem@davemloft.net>
Signed-off-by: Mathias Krause <minipli@googlemail.com>
---
Documentation/networking/pktgen.txt | 24 +++++++++++++++++++-----
net/core/pktgen.c | 8 +++++++-
2 files changed, 26 insertions(+), 6 deletions(-)
diff --git a/Documentation/networking/pktgen.txt b/Documentation/networking/pktgen.txt
index 5a61a240a6..0e30c7845b 100644
--- a/Documentation/networking/pktgen.txt
+++ b/Documentation/networking/pktgen.txt
@@ -102,13 +102,18 @@ Examples:
The 'minimum' MAC is what you set with dstmac.
pgset "flag [name]" Set a flag to determine behaviour. Current flags
- are: IPSRC_RND #IP Source is random (between min/max),
- IPDST_RND, UDPSRC_RND,
- UDPDST_RND, MACSRC_RND, MACDST_RND
+ are: IPSRC_RND # IP source is random (between min/max)
+ IPDST_RND # IP destination is random
+ UDPSRC_RND, UDPDST_RND,
+ MACSRC_RND, MACDST_RND
+ TXSIZE_RND, IPV6,
MPLS_RND, VID_RND, SVID_RND
+ FLOW_SEQ,
QUEUE_MAP_RND # queue map random
QUEUE_MAP_CPU # queue map mirrors smp_processor_id()
- IPSEC # Make IPsec encapsulation for packet
+ UDPCSUM,
+ IPSEC # IPsec encapsulation (needs CONFIG_XFRM)
+ NODE_ALLOC # node specific memory allocation
pgset spi SPI_VALUE Set specific SA used to transform packet.
@@ -233,13 +238,22 @@ udp_dst_max
flag
IPSRC_RND
- TXSIZE_RND
IPDST_RND
UDPSRC_RND
UDPDST_RND
MACSRC_RND
MACDST_RND
+ TXSIZE_RND
+ IPV6
+ MPLS_RND
+ VID_RND
+ SVID_RND
+ FLOW_SEQ
+ QUEUE_MAP_RND
+ QUEUE_MAP_CPU
+ UDPCSUM
IPSEC
+ NODE_ALLOC
dst_min
dst_max
diff --git a/net/core/pktgen.c b/net/core/pktgen.c
index 53c3097117..d0dac57291 100644
--- a/net/core/pktgen.c
+++ b/net/core/pktgen.c
@@ -1247,7 +1247,13 @@ static ssize_t pktgen_if_write(struct file *file,
"Flag -:%s:- unknown\nAvailable flags, (prepend ! to un-set flag):\n%s",
f,
"IPSRC_RND, IPDST_RND, UDPSRC_RND, UDPDST_RND, "
- "MACSRC_RND, MACDST_RND, TXSIZE_RND, IPV6, MPLS_RND, VID_RND, SVID_RND, FLOW_SEQ, IPSEC, NODE_ALLOC\n");
+ "MACSRC_RND, MACDST_RND, TXSIZE_RND, IPV6, "
+ "MPLS_RND, VID_RND, SVID_RND, FLOW_SEQ, "
+ "QUEUE_MAP_RND, QUEUE_MAP_CPU, UDPCSUM, "
+#ifdef CONFIG_XFRM
+ "IPSEC, "
+#endif
+ "NODE_ALLOC\n");
return count;
}
sprintf(pg_result, "OK: flags=0x%x", pkt_dev->flags);
--
1.7.10.4
^ permalink raw reply related [flat|nested] 5+ messages in thread