From: Neal Cardwell <ncardwell@google.com>
Date: Sun, 9 Dec 2012 11:09:54 +0000 (+0000)
Subject: inet_diag: validate port comparison byte code to prevent unsafe reads
X-Git-Tag: v3.7~2^2~1
X-Git-Url: http://git.openpandora.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5e1f54201cb481f40a04bc47e1bc8c093a189e23;p=pandora-kernel.git

inet_diag: validate port comparison byte code to prevent unsafe reads

Add logic to verify that a port comparison byte code operation
actually has the second inet_diag_bc_op from which we read the port
for such operations.

Previously the code blindly referenced op[1] without first checking
whether a second inet_diag_bc_op struct could fit there. So a
malicious user could make the kernel read 4 bytes beyond the end of
the bytecode array by claiming to have a whole port comparison byte
code (2 inet_diag_bc_op structs) when in fact the bytecode was not
long enough to hold both.

Signed-off-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
---

Reading git-diff-tree failed