From: Chris Wright Date: Fri, 24 Mar 2006 07:28:43 +0000 (-0800) Subject: NULL termination of SO_BINDTODEVICE string, from DaveM X-Git-Tag: v2.6.16.1~11 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4489fd02866cd7c7080a45c4023b861c72fd23ef;p=thirdparty%2Fkernel%2Fstable-queue.git NULL termination of SO_BINDTODEVICE string, from DaveM --- diff --git a/queue-2.6.16/net-ensure-device-name-passed-to-so_bindtodevice-is-null-terminated.patch b/queue-2.6.16/net-ensure-device-name-passed-to-so_bindtodevice-is-null-terminated.patch new file mode 100644 index 00000000000..c2ca46c58b6 --- /dev/null +++ b/queue-2.6.16/net-ensure-device-name-passed-to-so_bindtodevice-is-null-terminated.patch @@ -0,0 +1,34 @@ +From stable-bounces@linux.kernel.org Thu Mar 23 22:55:25 2006 +Date: Thu, 23 Mar 2006 22:54:18 -0800 (PST) +From: "David S. Miller" +To: stable@kernel.org +Cc: +Subject: NET: Ensure device name passed to SO_BINDTODEVICE is NULL terminated. + +The user can pass us arbitrary garbage so we should ensure the +string they give us is null terminated before we pass it on +to dev_get_by_index() et al. + +Found by Solar Designer. + +Signed-off-by: David S. Miller +Signed-off-by: Chris Wright +--- + + net/core/sock.c | 5 +++-- + 1 files changed, 3 insertions(+), 2 deletions(-) + +--- linux-2.6.16.orig/net/core/sock.c ++++ linux-2.6.16/net/core/sock.c +@@ -404,8 +404,9 @@ set_rcvbuf: + if (!valbool) { + sk->sk_bound_dev_if = 0; + } else { +- if (optlen > IFNAMSIZ) +- optlen = IFNAMSIZ; ++ if (optlen > IFNAMSIZ - 1) ++ optlen = IFNAMSIZ - 1; ++ memset(devname, 0, sizeof(devname)); + if (copy_from_user(devname, optval, optlen)) { + ret = -EFAULT; + break; diff --git a/queue-2.6.16/series b/queue-2.6.16/series index 9cde35ee4dd..b2354b9b3b7 100644 --- a/queue-2.6.16/series +++ b/queue-2.6.16/series @@ -4,3 +4,4 @@ kconfig-video_decoder-must-select-fw_loader.patch 2.6.xx-sata_mv-another-critical-fix.patch tcp-do-not-use-inet-id-of-global-tcp_socket-when-sending-rst.patch xfs-writeout-fix.patch +net-ensure-device-name-passed-to-so_bindtodevice-is-null-terminated.patch diff --git a/queue/net-ensure-device-name-passed-to-so_bindtodevice-is-null-terminated.patch b/queue/net-ensure-device-name-passed-to-so_bindtodevice-is-null-terminated.patch new file mode 100644 index 00000000000..4787ee522c3 --- /dev/null +++ b/queue/net-ensure-device-name-passed-to-so_bindtodevice-is-null-terminated.patch @@ -0,0 +1,34 @@ +From stable-bounces@linux.kernel.org Thu Mar 23 22:55:25 2006 +Date: Thu, 23 Mar 2006 22:54:18 -0800 (PST) +From: "David S. Miller" +To: stable@kernel.org +Cc: +Subject: NET: Ensure device name passed to SO_BINDTODEVICE is NULL terminated. + +The user can pass us arbitrary garbage so we should ensure the +string they give us is null terminated before we pass it on +to dev_get_by_index() et al. + +Found by Solar Designer. + +Signed-off-by: David S. Miller +Signed-off-by: Chris Wright +--- + + net/core/sock.c | 5 +++-- + 1 files changed, 3 insertions(+), 2 deletions(-) + +--- linux-2.6.15.6.orig/net/core/sock.c ++++ linux-2.6.15.6/net/core/sock.c +@@ -403,8 +403,9 @@ set_rcvbuf: + if (!valbool) { + sk->sk_bound_dev_if = 0; + } else { +- if (optlen > IFNAMSIZ) +- optlen = IFNAMSIZ; ++ if (optlen > IFNAMSIZ - 1) ++ optlen = IFNAMSIZ - 1; ++ memset(devname, 0, sizeof(devname)); + if (copy_from_user(devname, optval, optlen)) { + ret = -EFAULT; + break; diff --git a/queue/series b/queue/series index bad1e52fe9b..ff952e30f6c 100644 --- a/queue/series +++ b/queue/series @@ -4,3 +4,4 @@ compat-ifconf-fix-limits.patch cramfs-mounts-provide-corrupted-content-since-2.6.15.patch kconfig-video_decoder-must-select-fw_loader.patch tcp-do-not-use-inet-id-of-global-tcp_socket-when-sending-rst.patch +net-ensure-device-name-passed-to-so_bindtodevice-is-null-terminated.patch