Commit 0eff683f authored Jul 14, 2010 by Dan Carpenter Committed by David S. Miller Jul 14, 2010

net/sched: potential data corruption



The reset_policy() does:
        memset(d->tcfd_defdata, 0, SIMP_MAX_DATA);
        strlcpy(d->tcfd_defdata, defdata, SIMP_MAX_DATA);

In the original code, the size of d->tcfd_defdata wasn't fixed and if
strlen(defdata) was less than 31, reset_policy() would cause memory
corruption.

Please Note:  The original alloc_defdata() assumes defdata is 32
characters and a NUL terminator while reset_policy() assumes defdata is
31 characters and a NUL.  This patch updates alloc_defdata() to match
reset_policy() (ie a shorter string).  I'm not very familiar with this
code so please review carefully.

Signed-off-by: Dan Carpenter <error27@gmail.com>
Acked-by: Jamal Hadi Salim <hadi@cyberus.ca>
Signed-off-by: David S. Miller <davem@davemloft.net>

parent f8320f05

net/sched/act_simple.c

+2 −2

Original line number	Diff line number	Diff line
		@@ -73,10 +73,10 @@ static int tcf_simp_release(struct tcf_defact *d, int bind)

		static int alloc_defdata(struct tcf_defact d, char defdata)
		{
		d->tcfd_defdata = kstrndup(defdata, SIMP_MAX_DATA, GFP_KERNEL);
		d->tcfd_defdata = kzalloc(SIMP_MAX_DATA, GFP_KERNEL);
		if (unlikely(!d->tcfd_defdata))
		return -ENOMEM;

		strlcpy(d->tcfd_defdata, defdata, SIMP_MAX_DATA);
		return 0;
		}

Admin message