tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

[PKT_SCHED]: Fix illegal memory dereferences when dumping actions

The TCA_ACT_KIND attribute is used without checking its
availability when dumping actions therefore leading to a
value of 0x4 being dereferenced.

The use of strcmp() in tc_lookup_action_n() isn't safe
when fed with string from an attribute without enforcing
proper NUL termination.

Both bugs can be triggered with malformed netlink message
and don't require any privileges.

Signed-off-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>

authored by Thomas Graf and committed by David S. Miller 26dab893 e340221a

+5 -6
unified split
+5 -6
net/sched/act_api.c
··· 776 776 return ret; 777 777 } 778 778 779 - static char * 779 + static struct rtattr * 780 780 find_dump_kind(struct nlmsghdr *n) 781 781 { 782 782 struct rtattr *tb1, *tb2[TCA_ACT_MAX+1]; ··· 804 804 return NULL; 805 805 kind = tb2[TCA_ACT_KIND-1]; 806 806 807 - return (char *) RTA_DATA(kind); 807 + return kind; 808 808 } 809 809 810 810 static int ··· 817 817 struct tc_action a; 818 818 int ret = 0; 819 819 struct tcamsg *t = (struct tcamsg *) NLMSG_DATA(cb->nlh); 820 - char *kind = find_dump_kind(cb->nlh); 820 + struct rtattr *kind = find_dump_kind(cb->nlh); 821 821 822 822 if (kind == NULL) { 823 823 printk("tc_dump_action: action bad kind\n"); 824 824 return 0; 825 825 } 826 826 827 - a_o = tc_lookup_action_n(kind); 827 + a_o = tc_lookup_action(kind); 828 828 if (a_o == NULL) { 829 - printk("failed to find %s\n", kind); 830 829 return 0; 831 830 } 832 831 ··· 833 834 a.ops = a_o; 834 835 835 836 if (a_o->walk == NULL) { 836 - printk("tc_dump_action: %s !capable of dumping table\n", kind); 837 + printk("tc_dump_action: %s !capable of dumping table\n", a_o->kind); 837 838 goto rtattr_failure; 838 839 } 839 840