| commit | 6f40d761f0210858e4adbadd33b55020d291ef76 | |
| author | Ben Hutchings <bhutchings@solarflare.com> | |
| Tue, 7 Sep 2010 04:35:19 +0000 (7 04:35 +0000) | ||
| committer | Andi Kleen <ak@linux.intel.com> | |
| Mon, 1 Aug 2011 20:54:47 +0000 (1 13:54 -0700) | ||
| tree | b6a2fda193d27ffc3b3d63590e768384b990fe85 | treesnapshot (tar.gz zip) |
| parent | 04c735c129a5a86c6edd61743b4fb8fc6cbecfa7 | commitdiff |
niu: Fix kernel buffer overflow for ETHTOOL_GRXCLSRLALL
commit ee9c5cfad29c8a13199962614b9b16f1c4137ac9 upstream.
niu_get_ethtool_tcam_all() assumes that its output buffer is the right
size, and warns before returning if it is not. However, the output
buffer size is under user control and ETHTOOL_GRXCLSRLALL is an
unprivileged ethtool command. Therefore this is at least a local
denial-of-service vulnerability.
Change it to check before writing each entry and to return an error if
the buffer is already full.
Compile-tested only.
Signed-off-by: Ben Hutchings <bhutchings@solarflare.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Andi Kleen <ak@linux.intel.com>
[Adjusted to apply to 2.6.32 by dann frazier <dannf@debian.org>]
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
commit ee9c5cfad29c8a13199962614b9b16f1c4137ac9 upstream.
niu_get_ethtool_tcam_all() assumes that its output buffer is the right
size, and warns before returning if it is not. However, the output
buffer size is under user control and ETHTOOL_GRXCLSRLALL is an
unprivileged ethtool command. Therefore this is at least a local
denial-of-service vulnerability.
Change it to check before writing each entry and to return an error if
the buffer is already full.
Compile-tested only.
Signed-off-by: Ben Hutchings <bhutchings@solarflare.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Andi Kleen <ak@linux.intel.com>
[Adjusted to apply to 2.6.32 by dann frazier <dannf@debian.org>]
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
| drivers/net/niu.c | diffblobblamehistory |