* [PATCH net-2.6] tcp_probe buffer overflow and incorrect return value
@ 2008-04-24 21:37 Tom Quetchenbach
2008-04-25 4:12 ` David Miller
0 siblings, 1 reply; 2+ messages in thread
From: Tom Quetchenbach @ 2008-04-24 21:37 UTC (permalink / raw)
To: netdev
tcp_probe has a bounds-checking bug that causes many programs (less, python) to
crash reading /proc/net/tcp_probe. When it outputs a log line to the reader, it
only checks if that line alone will fit in the reader's buffer, rather than that
line and all the previous lines it has already written.
tcpprobe_read also returns the wrong value if copy_to_user fails--it just passes
on the return value of copy_to_user (number of bytes not copied), which makes a
failure look like a success.
This patch fixes the buffer overflow and sets the return value to -EFAULT if
copy_to_user fails.
Patch is against latest net-2.6; tested briefly and seems to fix the crashes in
less and python.
Signed-off-by: Tom Quetchenbach <virtualphtn@gmail.com>
diff --git a/net/ipv4/tcp_probe.c b/net/ipv4/tcp_probe.c
index 1c50959..5ff0ce6 100644
--- a/net/ipv4/tcp_probe.c
+++ b/net/ipv4/tcp_probe.c
@@ -190,19 +190,18 @@ static ssize_t tcpprobe_read(struct file
width = tcpprobe_sprint(tbuf, sizeof(tbuf));
- if (width < len)
+ if (cnt + width < len)
tcp_probe.tail = (tcp_probe.tail + 1) % bufsize;
spin_unlock_bh(&tcp_probe.lock);
/* if record greater than space available
return partial buffer (so far) */
- if (width >= len)
+ if (cnt + width >= len)
break;
- error = copy_to_user(buf + cnt, tbuf, width);
- if (error)
- break;
+ if (copy_to_user(buf + cnt, tbuf, width))
+ return -EFAULT;
cnt += width;
}
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH net-2.6] tcp_probe buffer overflow and incorrect return value
2008-04-24 21:37 [PATCH net-2.6] tcp_probe buffer overflow and incorrect return value Tom Quetchenbach
@ 2008-04-25 4:12 ` David Miller
0 siblings, 0 replies; 2+ messages in thread
From: David Miller @ 2008-04-25 4:12 UTC (permalink / raw)
To: virtualphtn; +Cc: netdev
From: Tom Quetchenbach <virtualphtn@gmail.com>
Date: Thu, 24 Apr 2008 14:37:58 -0700
> tcp_probe has a bounds-checking bug that causes many programs (less, python) to
> crash reading /proc/net/tcp_probe. When it outputs a log line to the reader, it
> only checks if that line alone will fit in the reader's buffer, rather than that
> line and all the previous lines it has already written.
>
> tcpprobe_read also returns the wrong value if copy_to_user fails--it just passes
> on the return value of copy_to_user (number of bytes not copied), which makes a
> failure look like a success.
>
> This patch fixes the buffer overflow and sets the return value to -EFAULT if
> copy_to_user fails.
>
> Patch is against latest net-2.6; tested briefly and seems to fix the crashes in
> less and python.
>
> Signed-off-by: Tom Quetchenbach <virtualphtn@gmail.com>
Thanks a lot for fixing this bug.
I've applied this patch and I'll queue it up for -stable too.
Thanks again.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2008-04-25 4:12 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-04-24 21:37 [PATCH net-2.6] tcp_probe buffer overflow and incorrect return value Tom Quetchenbach
2008-04-25 4:12 ` David Miller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).