inet_diag: validate byte code to prevent oops in inet_diag_bc_run()
authorNeal Cardwell <ncardwell@google.com>
Sat, 8 Dec 2012 19:43:22 +0000 (19:43 +0000)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Fri, 11 Jan 2013 17:06:28 +0000 (09:06 -0800)
commit879fc99ecd078f64849b95c47cf7e28705ac8884
treeeb570cc6cfc09defa928478ba30d6718e07a8ab3
parent457a04b96314023464f8249975b1efb4eef1c925
inet_diag: validate byte code to prevent oops in inet_diag_bc_run()

[ Upstream commit 405c005949e47b6e91359159c24753519ded0c67 ]

Add logic to validate INET_DIAG_BC_S_COND and INET_DIAG_BC_D_COND
operations.

Previously we did not validate the inet_diag_hostcond, address family,
address length, and prefix length. So a malicious user could make the
kernel read beyond the end of the bytecode array by claiming to have a
whole inet_diag_hostcond when the bytecode was not long enough to
contain a whole inet_diag_hostcond of the given address family. Or
they could make the kernel read up to about 27 bytes beyond the end of
a connection address by passing a prefix length that exceeded the
length of addresses of the given family.

Signed-off-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
net/ipv4/inet_diag.c