Commit 6d1cfe3f authored by Mark J Cox's avatar Mark J Cox Committed by Linus Torvalds

[PATCH] raw_sendmsg DoS on 2.6

Fix unchecked __get_user that could be tricked into generating a
memory read on an arbitrary address.  The result of the read is not
returned directly but you may be able to divine some information about
it, or use the read to cause a crash on some architectures by reading
hardware state.  CAN-2004-2492.

Fix from Al Viro, ack from Dave Miller.
Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
parent 997a51ae
...@@ -361,7 +361,7 @@ static void raw_probe_proto_opt(struct flowi *fl, struct msghdr *msg) ...@@ -361,7 +361,7 @@ static void raw_probe_proto_opt(struct flowi *fl, struct msghdr *msg)
if (type && code) { if (type && code) {
get_user(fl->fl_icmp_type, type); get_user(fl->fl_icmp_type, type);
__get_user(fl->fl_icmp_code, code); get_user(fl->fl_icmp_code, code);
probed = 1; probed = 1;
} }
break; break;
......
...@@ -627,7 +627,7 @@ static void rawv6_probe_proto_opt(struct flowi *fl, struct msghdr *msg) ...@@ -627,7 +627,7 @@ static void rawv6_probe_proto_opt(struct flowi *fl, struct msghdr *msg)
if (type && code) { if (type && code) {
get_user(fl->fl_icmp_type, type); get_user(fl->fl_icmp_type, type);
__get_user(fl->fl_icmp_code, code); get_user(fl->fl_icmp_code, code);
probed = 1; probed = 1;
} }
break; break;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment