summaryrefslogtreecommitdiffstats
path: root/net/xfrm
diff options
context:
space:
mode:
authorNeal Cardwell <ncardwell@google.com>2012-12-09 11:09:54 +0000
committerDavid S. Miller <davem@davemloft.net>2012-12-09 19:00:48 -0500
commit5e1f54201cb481f40a04bc47e1bc8c093a189e23 (patch)
treef5fa04ab4f52467197692f6ddf3cb56d5908595e /net/xfrm
parentf67caec9068cee426ec23cf9005a1dee2ecad187 (diff)
inet_diag: validate port comparison byte code to prevent unsafe reads
Add logic to verify that a port comparison byte code operation actually has the second inet_diag_bc_op from which we read the port for such operations. Previously the code blindly referenced op[1] without first checking whether a second inet_diag_bc_op struct could fit there. So a malicious user could make the kernel read 4 bytes beyond the end of the bytecode array by claiming to have a whole port comparison byte code (2 inet_diag_bc_op structs) when in fact the bytecode was not long enough to hold both. Signed-off-by: Neal Cardwell <ncardwell@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/xfrm')
0 files changed, 0 insertions, 0 deletions