[PATCH] ip maddr show” on an infiniband address causes a stack corruption

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] ip maddr show” on an infiniband address causes a stack corruption
@ 2008-11-25 12:36 Olivier Fourdan
  0 siblings, 0 replies; only message in thread
From: Olivier Fourdan @ 2008-11-25 12:36 UTC (permalink / raw)
  To: netdev

[-- Attachment #1: Type: text/plain, Size: 529 bytes --]

Hi,

“ip maddr show” on an infiniband address causes a stack corruption 
because the length of the address for Infiniband (20 bytes, as 
described in kernel doc Documentation/infiniband/ipoib.txt) does not 
fit on the 16 bytes of the field in which it gets stored.

The proposed patch increases the size of the hardware address from 4 
__u32 to 8 and also adds a check to avoid overriding the available 
size while parsing the hardware address.

This bug affects current upstream code AFAICT.

Hope this helps,
Cheers,
Olivier.

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: iproute2-2.6.26-check-hwaddr-size.patch --]
[-- Type: text/x-patch; name="iproute2-2.6.26-check-hwaddr-size.patch", Size: 1815 bytes --]

“ip maddr show ib0” causes a stack corruption because the length of the address
for Infiniband (20 see kernel doc Documentation/infiniband/ipoib.txt) does not 
fit on the 16 bytes of the field in which it gets stored.

The proposed patch increases the size of the hardware address from 4 u32 to 8 
and adds a check to avoid overriding the available size while parsing the 
hardware address.

This bug affects current upstream code and should be reported upstream.

 include/utils.h |    2 +-
 ip/ipmaddr.c    |    8 ++++----
 2 files changed, 5 insertions(+), 5 deletions(-)

--- iproute2-2.6.26/include/utils.h.hwaddrsize	2008-11-25 11:02:30.000000000 +0000
+++ iproute2-2.6.26/include/utils.h	2008-11-25 11:08:28.000000000 +0000
@@ -46,7 +46,7 @@
 	__u8 bytelen;
 	__s16 bitlen;
 	__u32 flags;
-	__u32 data[4];
+	__u32 data[8];
 } inet_prefix;

 #define PREFIXLEN_SPECIFIED 1
--- iproute2-2.6.26/ip/ipmaddr.c.hwaddrsize	2008-11-25 11:02:51.000000000 +0000
+++ iproute2-2.6.26/ip/ipmaddr.c	2008-11-25 11:08:26.000000000 +0000
@@ -43,11 +43,11 @@
 	exit(-1);
 }

-static int parse_hex(char *str, unsigned char *addr)
+static int parse_hex(char *str, unsigned char *addr, size_t size)
 {
 	int len=0;

-	while (*str) {
+	while (*str && (len < 2 * size)) {
 		int tmp;
 		if (str[1] == 0)
 			return -1;
@@ -104,7 +104,7 @@

 		m.addr.family = AF_PACKET;

-		len = parse_hex(hexa, (unsigned char*)&m.addr.data);
+		len = parse_hex(hexa, (unsigned char*)&m.addr.data, sizeof (m.addr.data));
 		if (len >= 0) {
 			struct ma_info *ma = malloc(sizeof(m));

@@ -176,7 +176,7 @@

 		m.addr.family = AF_INET6;

-		len = parse_hex(hexa, (unsigned char*)&m.addr.data);
+		len = parse_hex(hexa, (unsigned char*)&m.addr.data, sizeof (m.addr.data));
 		if (len >= 0) {
 			struct ma_info *ma = malloc(sizeof(m));

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2008-11-25 12:36 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-11-25 12:36 [PATCH] ip maddr show” on an infiniband address causes a stack corruption Olivier Fourdan

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).