sysctl binary: Reorder the tests to process wild card entries first.
Eric W. Biederman [Thu, 12 Nov 2009 09:39:06 +0000 (01:39 -0800)]
A malicious user could have passed in a ctl_name of 0 and triggered
the well know ctl_name to procname mapping code, instead of the wild
card matching code.  This is a slight problem as wild card entries don't
have procnames, and because in some alternate universe a network device
might have ifindex 0.  So test for and handle wild card entries first.

Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>

kernel/sysctl_binary.c

index 0cf6040..b75dbf4 100644 (file)
@@ -1269,17 +1269,12 @@ repeat:
        for ( ; table->convert; table++) {
                int len = 0;
 
-               /* Use the well known sysctl number to proc name mapping */
-               if (ctl_name == table->ctl_name) {
-                       len = strlen(table->procname);
-                       memcpy(path, table->procname, len);
-               }
-#ifdef CONFIG_NET
                /*
                 * For a wild card entry map from ifindex to network
                 * device name.
                 */
-               else if (!table->ctl_name) {
+               if (!table->ctl_name) {
+#ifdef CONFIG_NET
                        struct net *net = current->nsproxy->net_ns;
                        struct net_device *dev;
                        dev = dev_get_by_index(net, ctl_name);
@@ -1288,8 +1283,12 @@ repeat:
                                memcpy(path, dev->name, len);
                                dev_put(dev);
                        }
-               }
 #endif
+               /* Use the well known sysctl number to proc name mapping */
+               } else if (ctl_name == table->ctl_name) {
+                       len = strlen(table->procname);
+                       memcpy(path, table->procname, len);
+               }
                if (len) {
                        path += len;
                        if (table->child) {