Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit ee9c5cfa authored by Ben Hutchings's avatar Ben Hutchings Committed by David S. Miller
Browse files

niu: Fix kernel buffer overflow for ETHTOOL_GRXCLSRLALL 



niu_get_ethtool_tcam_all() assumes that its output buffer is the right
size, and warns before returning if it is not.  However, the output
buffer size is under user control and ETHTOOL_GRXCLSRLALL is an
unprivileged ethtool command.  Therefore this is at least a local
denial-of-service vulnerability.

Change it to check before writing each entry and to return an error if
the buffer is already full.

Compile-tested only.

Signed-off-by: default avatarBen Hutchings <bhutchings@solarflare.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 6523ce15

drivers/net/niu.c

+6 −10
Original line number Diff line number Diff line
@@ -7272,32 +7272,28 @@ static int niu_get_ethtool_tcam_all(struct niu *np, 
	struct niu_parent *parent = np->parent;

	struct niu_tcam_entry *tp;

	int i, idx, cnt;

	u16 n_entries;

	unsigned long flags;



	int ret = 0;



	/* put the tcam size here */

	nfc->data = tcam_get_size(np);



	niu_lock_parent(np, flags);

	n_entries = nfc->rule_cnt;

	for (cnt = 0, i = 0; i < nfc->data; i++) {

		idx = tcam_get_index(np, i);

		tp = &parent->tcam[idx];

		if (!tp->valid)

			continue;

		if (cnt == nfc->rule_cnt) {

			ret = -EMSGSIZE;

			break;

		}

		rule_locs[cnt] = i;

		cnt++;

	}

	niu_unlock_parent(np, flags);



	if (n_entries != cnt) {

		/* print warning, this should not happen */

		netdev_info(np->dev, "niu%d: In %s(): n_entries[%d] != cnt[%d]!!!\n",

			    np->parent->index, __func__, n_entries, cnt);

	}



	return 0;

	return ret;

}



static int niu_get_nfc(struct net_device *dev, struct ethtool_rxnfc *cmd,