From patchwork Thu Jul 30 09:46:59 2009 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: roel kluin X-Patchwork-Id: 30377 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@bilbo.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from ozlabs.org (ozlabs.org [203.10.76.45]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "mx.ozlabs.org", Issuer "CA Cert Signing Authority" (verified OK)) by bilbo.ozlabs.org (Postfix) with ESMTPS id A3CF2B7080 for ; Thu, 30 Jul 2009 19:44:24 +1000 (EST) Received: by ozlabs.org (Postfix) id 97788DDDA0; Thu, 30 Jul 2009 19:44:24 +1000 (EST) Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.176.167]) by ozlabs.org (Postfix) with ESMTP id 164E1DDD0C for ; Thu, 30 Jul 2009 19:44:24 +1000 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751673AbZG3JoG (ORCPT ); Thu, 30 Jul 2009 05:44:06 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1751586AbZG3JoG (ORCPT ); Thu, 30 Jul 2009 05:44:06 -0400 Received: from mail-ew0-f214.google.com ([209.85.219.214]:51368 "EHLO mail-ew0-f214.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751023AbZG3JoE (ORCPT ); Thu, 30 Jul 2009 05:44:04 -0400 Received: by ewy10 with SMTP id 10so599684ewy.37 for ; Thu, 30 Jul 2009 02:44:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:cc:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=6o6K+8bDuFc6eHMO8MhJ/XOM5OPaoArCknkG1YPE/Ks=; b=wlfrFjT0qnxiNFBuXQgzvI5S1S4NKnEsLQFclo0//04lZMpgjeOKu4qgf0ffmrUbDV BXyrN1Z3xMOW5zMG6/Hi75d5tfg5ci9MqcNya+i6AfWCp4wcwRurGFu7uk+GiS6qUDLr qbwB7T/RWPjC2iOueWgYmpTq+DODYSgwNg8q4= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; b=jPt9H/anpXi+2RE0KfZbMZEwp0tgp0rEhW/nt9P+jlU2wY6t7e8kz6MxTdHvmIOlGv GpwvBbYvmeOjZ2KvW85V8Yqe3UiJadTo6hu0D/sKF2Vr/xFDe/078nBAckcMSwJii6P9 fRMqHawpBrLHynIM0dX7+WKaZQK9/XbuankHk= Received: by 10.210.118.13 with SMTP id q13mr1398178ebc.48.1248947043064; Thu, 30 Jul 2009 02:44:03 -0700 (PDT) Received: from zoinx.mars (d133062.upc-d.chello.nl [213.46.133.62]) by mx.google.com with ESMTPS id 5sm1403137eyh.56.2009.07.30.02.44.01 (version=SSLv3 cipher=RC4-MD5); Thu, 30 Jul 2009 02:44:02 -0700 (PDT) Message-ID: <4A716C13.6030208@gmail.com> Date: Thu, 30 Jul 2009 11:46:59 +0200 From: Roel Kluin User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1b3pre) Gecko/20090513 Fedora/3.0-2.3.beta2.fc11 Thunderbird/3.0b2 MIME-Version: 1.0 To: Jarek Poplawski CC: "David S. Miller" , netdev@vger.kernel.org, Andrew Morton Subject: Re: [PATCH] [IPV4]: Buffer overflow References: <4A702A02.30509@gmail.com> <4A70C6FF.9060302@gmail.com> In-Reply-To: <4A70C6FF.9060302@gmail.com> Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org If arp_format_neigh_entry() can be called with n->dev->addr_len == 0, then a write to hbuffer[-1] occurs. Signed-off-by: Roel Kluin --- Op 30-07-09 00:02, Jarek Poplawski schreef: > Roel Kluin wrote, On 07/29/2009 12:52 PM: >> - hbuffer[--k] = 0; >> + if (k != 0) >> + hbuffer[--k] = 0; > > > I guess for k == 0 we need hbuffer[0] = 0 too. > > Jarek P. Thanks, updated patch below. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/net/ipv4/arp.c b/net/ipv4/arp.c index c29d75d..090e999 100644 --- a/net/ipv4/arp.c +++ b/net/ipv4/arp.c @@ -1304,7 +1304,9 @@ static void arp_format_neigh_entry(struct seq_file *seq, hbuffer[k++] = hex_asc_lo(n->ha[j]); hbuffer[k++] = ':'; } - hbuffer[--k] = 0; + if (k != 0) + --k; + hbuffer[k] = 0; #if defined(CONFIG_AX25) || defined(CONFIG_AX25_MODULE) } #endif