niu: Fix kernel buffer overflow for ETHTOOL_GRXCLSRLALL (ee9c5cfa) · Commits · 戴 / test

niu_get_ethtool_tcam_all() assumes that its output buffer is the right size, and warns before returning if it is not. However, the output buffer size is under user control and ETHTOOL_GRXCLSRLALL is an unprivileged ethtool command. Therefore this is at least a local denial-of-service vulnerability. Change it to check before writing each entry and to return an error if the buffer is already full. Compile-tested only. Signed-off-by:

Ben Hutchings <bhutchings@solarflare.com> Signed-off-by:

David S. Miller <davem@davemloft.net>

drivers/net/niu.c

+6 −10

Original line number	Diff line number	Diff line
		@@ -7272,32 +7272,28 @@ static int niu_get_ethtool_tcam_all(struct niu *np,
		struct niu_parent *parent = np->parent;
		struct niu_tcam_entry *tp;
		int i, idx, cnt;
		u16 n_entries;
		unsigned long flags;

		int ret = 0;

		/* put the tcam size here */
		nfc->data = tcam_get_size(np);

		niu_lock_parent(np, flags);
		n_entries = nfc->rule_cnt;
		for (cnt = 0, i = 0; i < nfc->data; i++) {
		idx = tcam_get_index(np, i);
		tp = &parent->tcam[idx];
		if (!tp->valid)
		continue;
		if (cnt == nfc->rule_cnt) {
		ret = -EMSGSIZE;
		break;
		}
		rule_locs[cnt] = i;
		cnt++;
		}
		niu_unlock_parent(np, flags);

		if (n_entries != cnt) {
		/* print warning, this should not happen */
		netdev_info(np->dev, "niu%d: In %s(): n_entries[%d] != cnt[%d]!!!\n",
		np->parent->index, __func__, n_entries, cnt);
		}

		return 0;
		return ret;
		}

		static int niu_get_nfc(struct net_device dev, struct ethtool_rxnfc cmd,

Admin message