Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 26dab893 authored by Thomas Graf's avatar Thomas Graf Committed by David S. Miller
Browse files

[PKT_SCHED]: Fix illegal memory dereferences when dumping actions 



The TCA_ACT_KIND attribute is used without checking its
availability when dumping actions therefore leading to a
value of 0x4 being dereferenced.

The use of strcmp() in tc_lookup_action_n() isn't safe
when fed with string from an attribute without enforcing
proper NUL termination.

Both bugs can be triggered with malformed netlink message
and don't require any privileges.

Signed-off-by: default avatarThomas Graf <tgraf@suug.ch>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent e340221a

net/sched/act_api.c

+5 −6
Original line number Diff line number Diff line
@@ -776,7 +776,7 @@ static int tc_ctl_action(struct sk_buff *skb, struct nlmsghdr *n, void *arg) 
	return ret;

}



static char *

static struct rtattr *

find_dump_kind(struct nlmsghdr *n)

{

	struct rtattr *tb1, *tb2[TCA_ACT_MAX+1];
@@ -804,7 +804,7 @@ find_dump_kind(struct nlmsghdr *n) 
		return NULL;

	kind = tb2[TCA_ACT_KIND-1];



	return (char *) RTA_DATA(kind);

	return kind;

}



static int
@@ -817,16 +817,15 @@ tc_dump_action(struct sk_buff *skb, struct netlink_callback *cb) 
	struct tc_action a;

	int ret = 0;

	struct tcamsg *t = (struct tcamsg *) NLMSG_DATA(cb->nlh);

	char *kind = find_dump_kind(cb->nlh);

	struct rtattr *kind = find_dump_kind(cb->nlh);



	if (kind == NULL) {

		printk("tc_dump_action: action bad kind\n");

		return 0;

	}



	a_o = tc_lookup_action_n(kind);

	a_o = tc_lookup_action(kind);

	if (a_o == NULL) {

		printk("failed to find %s\n", kind);

		return 0;

	}
@@ -834,7 +833,7 @@ tc_dump_action(struct sk_buff *skb, struct netlink_callback *cb) 
	a.ops = a_o;



	if (a_o->walk == NULL) {

		printk("tc_dump_action: %s !capable of dumping table\n", kind);

		printk("tc_dump_action: %s !capable of dumping table\n", a_o->kind);

		goto rtattr_failure;

	}