[FEISTY] CVE-2007-2172: [PATCH] [IPv4] fib: Fix out of bound access of fib_props[]

Phillip lougher phillip at lougher.demon.co.uk
Tue May 1 23:53:07 UTC 2007


>From a22afd3c0dd2f1f4f5762ce7d38acc67240384da Mon Sep 17 00:00:00 2001
From: Phillip Lougher <phillip at ubuntu.com>
Date: Wed, 2 May 2007 00:05:28 +0100
Subject: [PATCH] [IPv4] fib: Fix out of bound access of fib_props[] (CVE-2007-2172)

Fixes a typo which caused fib_props[] to have the wrong size
and makes sure the value used to index the array which is
provided by userspace via netlink is checked to avoid out of
bound access.

Signed-off-by: Thomas Graf <tgraf at suug.ch>
Signed-off-by: David S. Miller <davem at davemloft.net>

Conflicts:

	net/ipv4/fib_semantics.c
---
 net/ipv4/fib_frontend.c  |    5 +++++
 net/ipv4/fib_semantics.c |    4 ++--
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
index d47b72a..91c9bfa 100644
--- a/net/ipv4/fib_frontend.c
+++ b/net/ipv4/fib_frontend.c
@@ -494,6 +494,11 @@ static int rtm_to_fib_config(struct sk_buff *skb, struct nlmsghdr *nlh,
 	cfg->fc_nlinfo.pid = NETLINK_CB(skb).pid;
 	cfg->fc_nlinfo.nlh = nlh;
 
+	if (cfg->fc_type > RTN_MAX) {
+		err = -EINVAL;
+		goto errout;
+	}
+
 	nlmsg_for_each_attr(attr, nlh, sizeof(struct rtmsg), remaining) {
 		switch (attr->nla_type) {
 		case RTA_DST:
diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c
index e63b8a9..87ef7d5 100644
--- a/net/ipv4/fib_semantics.c
+++ b/net/ipv4/fib_semantics.c
@@ -89,8 +89,8 @@ static const struct
 {
 	int	error;
 	u8	scope;
-} fib_props[RTA_MAX + 1] = {
-        {
+} fib_props[RTN_MAX + 1] = {
+	{
 		.error	= 0,
 		.scope	= RT_SCOPE_NOWHERE,
 	},	/* RTN_UNSPEC */
-- 
1.4.4.2





More information about the kernel-team mailing list