| 123456789101112131415161718192021222324252627 |
- From 6e601a53566d84e1ffd25e7b6fe0b6894ffd79c0 Mon Sep 17 00:00:00 2001
- From: Mathias Krause <minipli@googlemail.com>
- Date: Sat, 23 Feb 2013 01:13:47 +0000
- Subject: sock_diag: Fix out-of-bounds access to sock_diag_handlers[]
- Userland can send a netlink message requesting SOCK_DIAG_BY_FAMILY
- with a family greater or equal then AF_MAX -- the array size of
- sock_diag_handlers[]. The current code does not test for this
- condition therefore is vulnerable to an out-of-bound access opening
- doors for a privilege escalation.
- Signed-off-by: Mathias Krause <minipli@googlemail.com>
- Acked-by: Eric Dumazet <edumazet@google.com>
- Signed-off-by: David S. Miller <davem@davemloft.net>
- ---
- --- a/net/core/sock_diag.c
- +++ b/net/core/sock_diag.c
- @@ -126,6 +126,9 @@ static int __sock_diag_rcv_msg(struct sk
- if (nlmsg_len(nlh) < sizeof(*req))
- return -EINVAL;
-
- + if (req->sdiag_family >= AF_MAX)
- + return -EINVAL;
- +
- hndl = sock_diag_lock_handler(req->sdiag_family);
- if (hndl == NULL)
- err = -ENOENT;
|
