[IPv4] fib: Fix out of bound access of fib

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [IPv4] fib: Fix out of bound access of fib_props[]
@ 2007-03-24 15:34 Thomas Graf
  2007-03-25  3:33 ` David Miller
  0 siblings, 1 reply; 7+ messages in thread
From: Thomas Graf @ 2007-03-24 15:34 UTC (permalink / raw)
  To: davem; +Cc: netdev

Fixes a typo which caused fib_props[] to have the wrong size
and makes sure the value used to index the array which is
provided by userspace via netlink is checked to avoid out of
bound access.

Signed-off-by: Thomas Graf <tgraf@suug.ch>

Index: net-2.6/net/ipv4/fib_frontend.c
===================================================================
--- net-2.6.orig/net/ipv4/fib_frontend.c	2007-03-24 15:56:17.000000000 +0100
+++ net-2.6/net/ipv4/fib_frontend.c	2007-03-24 15:57:16.000000000 +0100
@@ -493,6 +493,11 @@ static int rtm_to_fib_config(struct sk_b
 	cfg->fc_nlinfo.pid = NETLINK_CB(skb).pid;
 	cfg->fc_nlinfo.nlh = nlh;
 
+	if (cfg->fc_type > RTN_MAX) {
+		err = -EINVAL;
+		goto errout;
+	}
+
 	nlmsg_for_each_attr(attr, nlh, sizeof(struct rtmsg), remaining) {
 		switch (attr->nla_type) {
 		case RTA_DST:
Index: net-2.6/net/ipv4/fib_semantics.c
===================================================================
--- net-2.6.orig/net/ipv4/fib_semantics.c	2007-03-24 15:57:42.000000000 +0100
+++ net-2.6/net/ipv4/fib_semantics.c	2007-03-24 15:58:14.000000000 +0100
@@ -89,7 +89,7 @@ static const struct
 {
 	int	error;
 	u8	scope;
-} fib_props[RTA_MAX + 1] = {
+} fib_props[RTN_MAX + 1] = {
 	{
 		.error	= 0,
 		.scope	= RT_SCOPE_NOWHERE,

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [IPv4] fib: Fix out of bound access of fib_props[]
  2007-03-24 15:34 [IPv4] fib: Fix out of bound access of fib_props[] Thomas Graf
@ 2007-03-25  3:33 ` David Miller
  2007-04-14 14:26   ` Willy Tarreau
  0 siblings, 1 reply; 7+ messages in thread
From: David Miller @ 2007-03-25  3:33 UTC (permalink / raw)
  To: tgraf; +Cc: netdev

From: Thomas Graf <tgraf@suug.ch>
Date: Sat, 24 Mar 2007 16:34:36 +0100

> Fixes a typo which caused fib_props[] to have the wrong size
> and makes sure the value used to index the array which is
> provided by userspace via netlink is checked to avoid out of
> bound access.
> 
> Signed-off-by: Thomas Graf <tgraf@suug.ch>

Applied, thanks.

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [IPv4] fib: Fix out of bound access of fib_props[]
  2007-03-25  3:33 ` David Miller
@ 2007-04-14 14:26   ` Willy Tarreau
  2007-04-14 15:48     ` Willy Tarreau
  0 siblings, 1 reply; 7+ messages in thread
From: Willy Tarreau @ 2007-04-14 14:26 UTC (permalink / raw)
  To: David Miller; +Cc: tgraf, netdev

On Sat, Mar 24, 2007 at 08:33:39PM -0700, David Miller wrote:
> From: Thomas Graf <tgraf@suug.ch>
> Date: Sat, 24 Mar 2007 16:34:36 +0100
> 
> > Fixes a typo which caused fib_props[] to have the wrong size
> > and makes sure the value used to index the array which is
> > provided by userspace via netlink is checked to avoid out of
> > bound access.
> > 
> > Signed-off-by: Thomas Graf <tgraf@suug.ch>
> 
> Applied, thanks.

Thomas, David, it seems to me that 2.4 needs the same fix for the
typo, but I see no place where we may add the check for > RTN_MAX.
Maybe this last one is not needed. If someone could enlighten me,
or at least provide a means to test if the bug it present, it would
help me.

Thanks in advance,
Willy


^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [IPv4] fib: Fix out of bound access of fib_props[]
  2007-04-14 14:26   ` Willy Tarreau
@ 2007-04-14 15:48     ` Willy Tarreau
  2007-04-16  8:14       ` Thomas Graf
  0 siblings, 1 reply; 7+ messages in thread
From: Willy Tarreau @ 2007-04-14 15:48 UTC (permalink / raw)
  To: David Miller; +Cc: tgraf, netdev

On Sat, Apr 14, 2007 at 04:26:55PM +0200, Willy Tarreau wrote:
> On Sat, Mar 24, 2007 at 08:33:39PM -0700, David Miller wrote:
> > From: Thomas Graf <tgraf@suug.ch>
> > Date: Sat, 24 Mar 2007 16:34:36 +0100
> > 
> > > Fixes a typo which caused fib_props[] to have the wrong size
> > > and makes sure the value used to index the array which is
> > > provided by userspace via netlink is checked to avoid out of
> > > bound access.
> > > 
> > > Signed-off-by: Thomas Graf <tgraf@suug.ch>
> > 
> > Applied, thanks.
> 
> Thomas, David, it seems to me that 2.4 needs the same fix for the
> typo, but I see no place where we may add the check for > RTN_MAX.
> Maybe this last one is not needed. If someone could enlighten me,
> or at least provide a means to test if the bug it present, it would
> help me.

Finally, I think I have the correct fix below. Please someone confirm
or tell me I'm nuts.

Thanks in advance,
Willy


>From 230c62b9e7000cfb407a079a21ad0f077f164b21 Mon Sep 17 00:00:00 2001
From: Willy Tarreau <w@1wt.eu>
Date: Sat, 14 Apr 2007 17:44:03 +0200
Subject: [IPv4] fib: Fix out of bound access of fib_props[]

Backported from 2.6. Bug found and fixed by Thomas Graf :

Fixes a typo which caused fib_props[] to have the wrong size
and makes sure the value used to index the array which is
provided by userspace via netlink is checked to avoid out of
bound access.
---
 net/ipv4/fib_semantics.c |    7 ++++++-
 1 files changed, 6 insertions(+), 1 deletions(-)

diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c
index afdf4bb..b930371 100644
--- a/net/ipv4/fib_semantics.c
+++ b/net/ipv4/fib_semantics.c
@@ -83,7 +83,7 @@ static struct
 {
 	int	error;
 	u8	scope;
-} fib_props[RTA_MAX+1] = {
+} fib_props[RTN_MAX+1] = {
         { 0, RT_SCOPE_NOWHERE},		/* RTN_UNSPEC */
 	{ 0, RT_SCOPE_UNIVERSE},	/* RTN_UNICAST */
 	{ 0, RT_SCOPE_HOST},		/* RTN_LOCAL */
@@ -431,6 +431,11 @@ fib_create_info(const struct rtmsg *r, struct kern_rta *rta,
 	const int nhs = 1;
 #endif
 
+	if (r->rtm_type > RTN_MAX) {
+		err = -EINVAL;
+		goto errout;
+	}
+
 	/* Fast check to catch the most weird cases */
 	if (fib_props[r->rtm_type].scope > r->rtm_scope)
 		goto err_inval;
-- 
1.4.4.4


^ permalink raw reply related	[flat|nested] 7+ messages in thread

* Re: [IPv4] fib: Fix out of bound access of fib_props[]
  2007-04-14 15:48     ` Willy Tarreau
@ 2007-04-16  8:14       ` Thomas Graf
  2007-04-16  8:45         ` Willy Tarreau
  0 siblings, 1 reply; 7+ messages in thread
From: Thomas Graf @ 2007-04-16  8:14 UTC (permalink / raw)
  To: Willy Tarreau; +Cc: David Miller, netdev

* Willy Tarreau <w@1wt.eu> 2007-04-14 17:48
> Finally, I think I have the correct fix below. Please someone confirm
> or tell me I'm nuts.

Looks good, same is needed for DECnet

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [IPv4] fib: Fix out of bound access of fib_props[]
  2007-04-16  8:14       ` Thomas Graf
@ 2007-04-16  8:45         ` Willy Tarreau
  0 siblings, 0 replies; 7+ messages in thread
From: Willy Tarreau @ 2007-04-16  8:45 UTC (permalink / raw)
  To: Thomas Graf; +Cc: David Miller, netdev

On Mon, Apr 16, 2007 at 10:14:17AM +0200, Thomas Graf wrote:
> * Willy Tarreau <w@1wt.eu> 2007-04-14 17:48
> > Finally, I think I have the correct fix below. Please someone confirm
> > or tell me I'm nuts.
> 
> Looks good, same is needed for DECnet

Thank you Thomas.
The DECnet stuff was already merged, it was (expectedly) the same code.

Regards,
Willy


^ permalink raw reply	[flat|nested] 7+ messages in thread

* [IPv4] fib: Fix out of bound access of fib_props[]
@ 2006-11-29 13:55 Thomas Graf
  0 siblings, 0 replies; 7+ messages in thread
From: Thomas Graf @ 2006-11-29 13:55 UTC (permalink / raw)
  To: davem; +Cc: netdev

Fixes a typo which caused fib_props[] to have the wrong size
and makes sure the value used to index the array which is
provided by userspace via netlink is checked to avoid out of
bound access.

Signed-off-by: Thomas Graf <tgraf@suug.ch>

Index: net-2.6/net/ipv4/fib_semantics.c
===================================================================
--- net-2.6.orig/net/ipv4/fib_semantics.c	2006-11-29 13:33:05.000000000 +0100
+++ net-2.6/net/ipv4/fib_semantics.c	2006-11-29 13:36:13.000000000 +0100
@@ -89,7 +89,7 @@
 {
 	int	error;
 	u8	scope;
-} fib_props[RTA_MAX + 1] = {
+} fib_props[RTN_MAX + 1] = {
         {
 		.error	= 0,
 		.scope	= RT_SCOPE_NOWHERE,
@@ -658,6 +658,9 @@
 	struct fib_info *ofi;
 	int nhs = 1;
 
+	if (cfg->fc_type > RTN_MAX)
+		goto err_inval;
+
 	/* Fast check to catch the most weird cases */
 	if (fib_props[cfg->fc_type].scope > cfg->fc_scope)
 		goto err_inval;

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2007-04-16  8:45 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-03-24 15:34 [IPv4] fib: Fix out of bound access of fib_props[] Thomas Graf
2007-03-25  3:33 ` David Miller
2007-04-14 14:26   ` Willy Tarreau
2007-04-14 15:48     ` Willy Tarreau
2007-04-16  8:14       ` Thomas Graf
2007-04-16  8:45         ` Willy Tarreau
  -- strict thread matches above, loose matches on Subject: below --
2006-11-29 13:55 Thomas Graf

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).