ipvs 02/04: Add boundary check on ioctl arguments

Message ID	20100108164207.28066.52850.sendpatchset@x2.localnet
State	Accepted, archived
Delegated to:	David Miller
Headers	show Return-Path: <netdev-owner@vger.kernel.org> From: Patrick McHardy <kaber@trash.net> To: davem@davemloft.net Cc: netdev@vger.kernel.org, Patrick McHardy <kaber@trash.net>, netfilter-devel@vger.kernel.org Message-Id: <20100108164207.28066.52850.sendpatchset@x2.localnet> In-Reply-To: <20100108164204.28066.44430.sendpatchset@x2.localnet> References: <20100108164204.28066.44430.sendpatchset@x2.localnet> Subject: ipvs 02/04: Add boundary check on ioctl arguments Date: Fri, 8 Jan 2010 17:42:10 +0100 (MET) Sender: netdev-owner@vger.kernel.org Precedence: bulk

Message ID

20100108164207.28066.52850.sendpatchset@x2.localnet

State

Accepted, archived

Delegated to:

David Miller

Headers

From: Patrick McHardy <kaber@trash.net>
To: davem@davemloft.net
Cc: netdev@vger.kernel.org, Patrick McHardy <kaber@trash.net>,
	netfilter-devel@vger.kernel.org
Message-Id: <20100108164207.28066.52850.sendpatchset@x2.localnet>
In-Reply-To: <20100108164204.28066.44430.sendpatchset@x2.localnet>
References: <20100108164204.28066.44430.sendpatchset@x2.localnet>
Subject: ipvs 02/04: Add boundary check on ioctl arguments
Date: Fri,  8 Jan 2010 17:42:10 +0100 (MET)
Sender: netdev-owner@vger.kernel.org
Precedence: bulk

Commit Message

Patrick McHardy Jan. 8, 2010, 4:42 p.m. UTC

commit 04bcef2a83f40c6db24222b27a52892cba39dffb
Author: Arjan van de Ven <arjan@linux.intel.com>
Date:   Mon Jan 4 16:37:12 2010 +0100

    ipvs: Add boundary check on ioctl arguments
    
    The ipvs code has a nifty system for doing the size of ioctl command
    copies; it defines an array with values into which it indexes the cmd
    to find the right length.
    
    Unfortunately, the ipvs code forgot to check if the cmd was in the
    range that the array provides, allowing for an index outside of the
    array, which then gives a "garbage" result into the length, which
    then gets used for copying into a stack buffer.
    
    Fix this by adding sanity checks on these as well as the copy size.
    
    [ horms@verge.net.au: adjusted limit to IP_VS_SO_GET_MAX ]
    Signed-off-by: Arjan van de Ven <arjan@linux.intel.com>
    Acked-by: Julian Anastasov <ja@ssi.bg>
    Signed-off-by: Simon Horman <horms@verge.net.au>
    Signed-off-by: Patrick McHardy <kaber@trash.net>

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
index 6bde12d..c37ac2d 100644
--- a/net/netfilter/ipvs/ip_vs_ctl.c
+++ b/net/netfilter/ipvs/ip_vs_ctl.c
@@ -2077,6 +2077,10 @@  do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
 	if (!capable(CAP_NET_ADMIN))
 		return -EPERM;
 
+	if (cmd < IP_VS_BASE_CTL || cmd > IP_VS_SO_SET_MAX)
+		return -EINVAL;
+	if (len < 0 || len >  MAX_ARG_LEN)
+		return -EINVAL;
 	if (len != set_arglen[SET_CMDID(cmd)]) {
 		pr_err("set_ctl: len %u != %u\n",
 		       len, set_arglen[SET_CMDID(cmd)]);
@@ -2352,17 +2356,25 @@  do_ip_vs_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
 {
 	unsigned char arg[128];
 	int ret = 0;
+	unsigned int copylen;
 
 	if (!capable(CAP_NET_ADMIN))
 		return -EPERM;
 
+	if (cmd < IP_VS_BASE_CTL || cmd > IP_VS_SO_GET_MAX)
+		return -EINVAL;
+
 	if (*len < get_arglen[GET_CMDID(cmd)]) {
 		pr_err("get_ctl: len %u < %u\n",
 		       *len, get_arglen[GET_CMDID(cmd)]);
 		return -EINVAL;
 	}
 
-	if (copy_from_user(arg, user, get_arglen[GET_CMDID(cmd)]) != 0)
+	copylen = get_arglen[GET_CMDID(cmd)];
+	if (copylen > 128)
+		return -EINVAL;
+
+	if (copy_from_user(arg, user, copylen) != 0)
 		return -EFAULT;
 
 	if (mutex_lock_interruptible(&__ip_vs_mutex))

ipvs 02/04: Add boundary check on ioctl arguments

Commit Message

Patch