net: ipmr/ip6mr: fix potential out-of-bounds vif_table access mfc_parent of cache entries is used to index into the vif_table and is initialised from mfcctl->mfcc_parent. This can take values of to 2^16-1, while the vif_table has only MAXVIFS (32) entries. The same problem affects ip6mr. Refuse invalid values to fix a potential out-of-bounds access. Unlike the other validity checks, this is checked in ipmr_mfc_add() instead of the setsockopt handler since its unused in the delete path and might be uninitialized. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>

commit: a50436f2cd6e85794f7e1aad795ca8302177b896 [log] [tgz]
author: Patrick McHardy <kaber@trash.net> Wed Mar 17 06:04:14 2010 +0000
committer: David S. Miller <davem@davemloft.net> Fri Mar 19 22:47:22 2010 -0700
tree: 522ac0b3ac330fb53d4ee9147f7565b27b482085
parent: ea93fd9456ad32cd85b2d7914b58c6313cc40c9e [diff] [blame]
diff --git a/net/ipv6/ip6mr.c b/net/ipv6/ip6mr.c
index 52e0f74..23e4ac0 100644
--- a/net/ipv6/ip6mr.c
+++ b/net/ipv6/ip6mr.c

@@ -1113,6 +1113,9 @@
 	unsigned char ttls[MAXMIFS];
 	int i;
 
+	if (mfc->mf6cc_parent >= MAXMIFS)
+		return -ENFILE;
+
 	memset(ttls, 255, MAXMIFS);
 	for (i = 0; i < MAXMIFS; i++) {
 		if (IF_ISSET(i, &mfc->mf6cc_ifset))
commit	a50436f2cd6e85794f7e1aad795ca8302177b896	[log] [tgz]
author	Patrick McHardy <kaber@trash.net>	Wed Mar 17 06:04:14 2010 +0000
committer	David S. Miller <davem@davemloft.net>	Fri Mar 19 22:47:22 2010 -0700
tree	522ac0b3ac330fb53d4ee9147f7565b27b482085
parent	ea93fd9456ad32cd85b2d7914b58c6313cc40c9e [diff] [blame]