From: Ralf Baechle <ralf@linux-mips.org>
To: "David S. Miller" <davem@davemloft.net>
Cc: netdev@vger.kernel.org, linux-hams@vger.kernel.org,
Xi Wang <xi.wang@gmail.com>, Joerg Reuter <jreuter@yaina.de>,
Alan Cox <alan@lxorguk.ukuu.org.uk>,
Dan Carpenter <dan.carpenter@oracle.com>,
Walter Harms <wharms@bfs.de>,
Thomas Osterried <thomas@osterried.de>
Subject: [PATCH 0/4] AX.25 and NET/ROM fixes and improvments.
Date: Fri, 25 Nov 2011 09:55:50 +0000 [thread overview]
Message-ID: <cover.1322214950.git.ralf@linux-mips.org> (raw)
AX.25 ioctl didn't do sufficient argument checking. The result of these
overflows is harmless as it will be dealt with further further down in the
stack but an application should get an error code when trying to set
such a bogus value. To not restrict the more extreme use cases of AX.25
there is no attempt to clamp values to a "sensible" range.
The NET/ROM stack's routing ioctl didn't check the lengths of the mnemonic
string that is being passed as part of the nr_route_struct structure to the
kernel. In theory this could result in an oops but no memory corruption
but again is fairly harmless because it requires CAP_NET_ADMIN priviledges
which in practice only root has and ax25-tools don't send malformed
ioctls.
Two further patches simplify the checks at the beginning of nr_rt_ioctl
and do minor reformatting to nr_ioctl.
Patches 1 and 2 are meant for v3.2; 3 and 4 are only cosmetic and thus
are v3.3 material.
Ralf Baechle (4):
NET: AX.25: Check ioctl arguments to avoid overflows further down the
road.
NET: NETROM: When adding a route verify length of mnemonic string.
NET: NETROM: Cleanup argument SIOCADDRT ioctl argument checking.
NET: NETROM: Fix formatting.
net/ax25/af_ax25.c | 17 +++++++++++------
net/netrom/af_netrom.c | 3 ++-
net/netrom/nr_route.c | 11 +++++++----
3 files changed, 20 insertions(+), 11 deletions(-)
--
1.7.4.4
next reply other threads:[~2011-11-25 11:09 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-11-25 9:55 Ralf Baechle [this message]
2011-11-24 16:12 ` [PATCH 1/4] NET: AX.25: Check ioctl arguments to avoid overflows further down the road Ralf Baechle
2011-11-29 6:17 ` David Miller
2011-11-25 9:08 ` [PATCH 2/4] NET: NETROM: When adding a route verify length of mnemonic string Ralf Baechle
2011-11-25 11:36 ` Dan Carpenter
2011-11-29 6:18 ` David Miller
2011-11-25 9:09 ` [PATCH 3/4] NET: NETROM: Cleanup argument SIOCADDRT ioctl argument checking Ralf Baechle
2011-11-25 11:22 ` walter harms
2011-11-25 12:12 ` walter harms
2011-11-25 13:26 ` Thomas Osterried
2011-11-29 6:18 ` David Miller
2011-11-25 9:54 ` [PATCH 4/4] NET: NETROM: Fix formatting Ralf Baechle
2011-11-29 6:18 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cover.1322214950.git.ralf@linux-mips.org \
--to=ralf@linux-mips.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=dan.carpenter@oracle.com \
--cc=davem@davemloft.net \
--cc=jreuter@yaina.de \
--cc=linux-hams@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=thomas@osterried.de \
--cc=wharms@bfs.de \
--cc=xi.wang@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).