* [DECNet] fib: Fix out of bound access of fib_props[]
@ 2006-11-29 13:55 Thomas Graf
0 siblings, 0 replies; only message in thread
From: Thomas Graf @ 2006-11-29 13:55 UTC (permalink / raw)
To: davem; +Cc: netdev
Fixes a typo which caused fib_props[] to have the wrong size
and makes sure the value used to index the array which is
provided by userspace via netlink is checked to avoid out of
bound access.
Signed-off-by: Thomas Graf <tgraf@suug.ch>
Index: net-2.6/net/decnet/dn_fib.c
===================================================================
--- net-2.6.orig/net/decnet/dn_fib.c 2006-11-29 13:35:51.000000000 +0100
+++ net-2.6/net/decnet/dn_fib.c 2006-11-29 13:36:17.000000000 +0100
@@ -63,7 +63,7 @@
{
int error;
u8 scope;
-} dn_fib_props[RTA_MAX+1] = {
+} dn_fib_props[RTN_MAX+1] = {
[RTN_UNSPEC] = { .error = 0, .scope = RT_SCOPE_NOWHERE },
[RTN_UNICAST] = { .error = 0, .scope = RT_SCOPE_UNIVERSE },
[RTN_LOCAL] = { .error = 0, .scope = RT_SCOPE_HOST },
@@ -276,6 +276,9 @@
struct dn_fib_info *ofi;
int nhs = 1;
+ if (r->rtm_type > RTN_MAX)
+ goto err_inval;
+
if (dn_fib_props[r->rtm_type].scope > r->rtm_scope)
goto err_inval;
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2006-11-29 13:55 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-11-29 13:55 [DECNet] fib: Fix out of bound access of fib_props[] Thomas Graf
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).