* [PATCH] [IPV4]: Buffer overflow
@ 2009-07-29 10:52 Roel Kluin
2009-07-29 22:02 ` Jarek Poplawski
0 siblings, 1 reply; 4+ messages in thread
From: Roel Kluin @ 2009-07-29 10:52 UTC (permalink / raw)
To: David S. Miller, netdev, Andrew Morton
If arp_format_neigh_entry() can be called with n->dev->addr_len == 0, then a
write to hbuffer[-1] occurs.
Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
---
Found with Parfait, http://research.sun.com/projects/parfait/
It's not clear whether this can happen or not.
diff --git a/net/ipv4/arp.c b/net/ipv4/arp.c
index c29d75d..252336f 100644
--- a/net/ipv4/arp.c
+++ b/net/ipv4/arp.c
@@ -1304,7 +1304,8 @@ static void arp_format_neigh_entry(struct seq_file *seq,
hbuffer[k++] = hex_asc_lo(n->ha[j]);
hbuffer[k++] = ':';
}
- hbuffer[--k] = 0;
+ if (k != 0)
+ hbuffer[--k] = 0;
#if defined(CONFIG_AX25) || defined(CONFIG_AX25_MODULE)
}
#endif
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] [IPV4]: Buffer overflow
2009-07-29 10:52 [PATCH] [IPV4]: Buffer overflow Roel Kluin
@ 2009-07-29 22:02 ` Jarek Poplawski
2009-07-30 9:46 ` Roel Kluin
0 siblings, 1 reply; 4+ messages in thread
From: Jarek Poplawski @ 2009-07-29 22:02 UTC (permalink / raw)
To: Roel Kluin; +Cc: David S. Miller, netdev, Andrew Morton
Roel Kluin wrote, On 07/29/2009 12:52 PM:
> If arp_format_neigh_entry() can be called with n->dev->addr_len == 0, then a
> write to hbuffer[-1] occurs.
>
> Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
> ---
> Found with Parfait, http://research.sun.com/projects/parfait/
>
> It's not clear whether this can happen or not.
>
> diff --git a/net/ipv4/arp.c b/net/ipv4/arp.c
> index c29d75d..252336f 100644
> --- a/net/ipv4/arp.c
> +++ b/net/ipv4/arp.c
> @@ -1304,7 +1304,8 @@ static void arp_format_neigh_entry(struct seq_file *seq,
> hbuffer[k++] = hex_asc_lo(n->ha[j]);
> hbuffer[k++] = ':';
> }
> - hbuffer[--k] = 0;
> + if (k != 0)
> + hbuffer[--k] = 0;
I guess for k == 0 we need hbuffer[0] = 0 too.
Jarek P.
> #if defined(CONFIG_AX25) || defined(CONFIG_AX25_MODULE)
> }
> #endif
> --
> To unsubscribe from this list: send the line "unsubscribe netdev" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] [IPV4]: Buffer overflow
2009-07-29 22:02 ` Jarek Poplawski
@ 2009-07-30 9:46 ` Roel Kluin
2009-07-30 20:28 ` David Miller
0 siblings, 1 reply; 4+ messages in thread
From: Roel Kluin @ 2009-07-30 9:46 UTC (permalink / raw)
To: Jarek Poplawski; +Cc: David S. Miller, netdev, Andrew Morton
If arp_format_neigh_entry() can be called with n->dev->addr_len == 0, then a
write to hbuffer[-1] occurs.
Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
---
Op 30-07-09 00:02, Jarek Poplawski schreef:
> Roel Kluin wrote, On 07/29/2009 12:52 PM:
>> - hbuffer[--k] = 0;
>> + if (k != 0)
>> + hbuffer[--k] = 0;
>
>
> I guess for k == 0 we need hbuffer[0] = 0 too.
>
> Jarek P.
Thanks, updated patch below.
diff --git a/net/ipv4/arp.c b/net/ipv4/arp.c
index c29d75d..090e999 100644
--- a/net/ipv4/arp.c
+++ b/net/ipv4/arp.c
@@ -1304,7 +1304,9 @@ static void arp_format_neigh_entry(struct seq_file *seq,
hbuffer[k++] = hex_asc_lo(n->ha[j]);
hbuffer[k++] = ':';
}
- hbuffer[--k] = 0;
+ if (k != 0)
+ --k;
+ hbuffer[k] = 0;
#if defined(CONFIG_AX25) || defined(CONFIG_AX25_MODULE)
}
#endif
^ permalink raw reply related [flat|nested] 4+ messages in thread
end of thread, other threads:[~2009-07-30 20:28 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-07-29 10:52 [PATCH] [IPV4]: Buffer overflow Roel Kluin
2009-07-29 22:02 ` Jarek Poplawski
2009-07-30 9:46 ` Roel Kluin
2009-07-30 20:28 ` David Miller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).