Skip to main content

Browse the archive

https://github.com/torvalds/linux
05 April 2024, 19:05:47 UTC
Revision 5e1f54201cb481f40a04bc47e1bc8c093a189e23 authored by Neal Cardwell on 09 December 2012, 11:09:54 UTC, committed by David S. Miller on 10 December 2012, 00:00:48 UTC 
inet_diag: validate port comparison byte code to prevent unsafe reads
 
Add logic to verify that a port comparison byte code operation
actually has the second inet_diag_bc_op from which we read the port
for such operations.

Previously the code blindly referenced op[1] without first checking
whether a second inet_diag_bc_op struct could fit there. So a
malicious user could make the kernel read 4 bytes beyond the end of
the bytecode array by claiming to have a whole port comparison byte
code (2 inet_diag_bc_op structs) when in fact the bytecode was not
long enough to hold both.

Signed-off-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
1 parent f67caec
History
Tip revision: 5e1f54201cb481f40a04bc47e1bc8c093a189e23 authored by Neal Cardwell on 09 December 2012, 11:09:54 UTC
inet_diag: validate port comparison byte code to prevent unsafe reads
Tip revision: 5e1f542
File Mode Size
.gitignore -rw-r--r-- 151 bytes
Kconfig -rw-r--r-- 5.3 KB
Makefile -rw-r--r-- 2.3 KB
gen_init_cpio.c -rw-r--r-- 13.0 KB
initramfs_data.S -rw-r--r-- 1.3 KB
back to top