projects / GitHub / MotorolaMobilityLLC / kernel-slsi.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 3d54015)
ipv4: ARP neigh procfs buffer overflow
authorroel kluin <roel.kluin@gmail.com>
Wed, 29 Jul 2009 23:46:59 +0000 (23:46 +0000)
committerDavid S. Miller <davem@davemloft.net>
Thu, 30 Jul 2009 20:27:29 +0000 (13:27 -0700)
If arp_format_neigh_entry() can be called with n->dev->addr_len == 0, then a
write to hbuffer[-1] occurs.

Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/ipv4/arp.c patch | blob | blame | history

diff --git a/net/ipv4/arp.c b/net/ipv4/arp.c
index c29d75d8f1b124ee7706da2e145189eaf7c5b65e..090e9991ac2a288f31f378ad327b4c18a2b8ecba 100644 (file)
--- a/net/ipv4/arp.c
+++ b/net/ipv4/arp.c
@@ -1304,7 +1304,9 @@ static void arp_format_neigh_entry(struct seq_file *seq,
                hbuffer[k++] = hex_asc_lo(n->ha[j]);
                hbuffer[k++] = ':';
        }
-       hbuffer[--k] = 0;
+       if (k != 0)
+               --k;
+       hbuffer[k] = 0;
 #if defined(CONFIG_AX25) || defined(CONFIG_AX25_MODULE)
        }
 #endif
Motorola kernel-slsi