Message ID | 4EF7804D.4050300@parallels.com |
---|---|
State | Accepted, archived |
Delegated to: | David Miller |
Headers | show |
From: Pavel Emelyanov <xemul@parallels.com> Date: Sun, 25 Dec 2011 23:58:05 +0400 > The NLA_PUT macro should accept the actual attribute length, not > the amount of elements in array :( > > Signed-off-by: Pavel Emelyanov <xemul@parallels.com> Applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Le dimanche 25 décembre 2011 à 23:58 +0400, Pavel Emelyanov a écrit : > The NLA_PUT macro should accept the actual attribute length, not > the amount of elements in array :( > > Signed-off-by: Pavel Emelyanov <xemul@parallels.com> > > --- > net/unix/diag.c | 3 ++- > 1 files changed, 2 insertions(+), 1 deletions(-) > > diff --git a/net/unix/diag.c b/net/unix/diag.c > index 91d5782..39e44c9 100644 > --- a/net/unix/diag.c > +++ b/net/unix/diag.c > @@ -72,7 +72,8 @@ static int sk_diag_dump_icons(struct sock *sk, struct sk_buff *nlskb) > > if (sk->sk_state == TCP_LISTEN) { > spin_lock(&sk->sk_receive_queue.lock); > - buf = UNIX_DIAG_PUT(nlskb, UNIX_DIAG_ICONS, sk->sk_receive_queue.qlen); > + buf = UNIX_DIAG_PUT(nlskb, UNIX_DIAG_ICONS, > + sk->sk_receive_queue.qlen * sizeof(u32)); > i = 0; > skb_queue_walk(&sk->sk_receive_queue, skb) { > struct sock *req, *peer; Hmm, I must say sk_diag_dump_icons() looks buggy, since it does : if (peer) buf[i++] = sock_i_ino(peer); So we probably leak kernel memory content to user for the (!peer) case, since we did : UNIX_DIAG_PUT(nlskb, UNIX_DIAG_ICONS, sk->sk_receive_queue.qlen * sizeof(u32)); -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/net/unix/diag.c b/net/unix/diag.c index 91d5782..39e44c9 100644 --- a/net/unix/diag.c +++ b/net/unix/diag.c @@ -72,7 +72,8 @@ static int sk_diag_dump_icons(struct sock *sk, struct sk_buff *nlskb) if (sk->sk_state == TCP_LISTEN) { spin_lock(&sk->sk_receive_queue.lock); - buf = UNIX_DIAG_PUT(nlskb, UNIX_DIAG_ICONS, sk->sk_receive_queue.qlen); + buf = UNIX_DIAG_PUT(nlskb, UNIX_DIAG_ICONS, + sk->sk_receive_queue.qlen * sizeof(u32)); i = 0; skb_queue_walk(&sk->sk_receive_queue, skb) { struct sock *req, *peer;
The NLA_PUT macro should accept the actual attribute length, not the amount of elements in array :( Signed-off-by: Pavel Emelyanov <xemul@parallels.com> --- net/unix/diag.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-)