Fix payload size checks like this one:
- sprintf(act_name, "%s", (char*)RTA_DATA(kind));
- if (RTA_PAYLOAD(kind) >= IFNAMSIZ) {
- printk("Action %s bad\n",
(char*)RTA_DATA(kind))
# This is a BitKeeper generated diff -Nru style patch.
#
# ChangeSet
# 2004/12/30 01:45:41+01:00 kaber@xxxxxxxxxxxx
# [PKT_SCHED]: Check TCA_ACT_KIND payload size _before_ copying it
#
# Signed-off-by: Patrick McHardy <kaber@xxxxxxxxx>
#
# net/sched/act_api.c
# 2004/12/30 01:45:35+01:00 kaber@xxxxxxxxxxxx +6 -14
# [PKT_SCHED]: Check TCA_ACT_KIND payload size _before_ copying it
#
# Signed-off-by: Patrick McHardy <kaber@xxxxxxxxx>
#
diff -Nru a/net/sched/act_api.c b/net/sched/act_api.c
--- a/net/sched/act_api.c 2004-12-30 04:01:10 +01:00
+++ b/net/sched/act_api.c 2004-12-30 04:01:10 +01:00
@@ -288,11 +288,9 @@
goto err_out;
kind = tb[TCA_ACT_KIND-1];
if (kind != NULL) {
- sprintf(act_name, "%s", (char*)RTA_DATA(kind));
- if (RTA_PAYLOAD(kind) >= IFNAMSIZ) {
- printk("Action %s bad\n",
(char*)RTA_DATA(kind));
+ if (RTA_PAYLOAD(kind) >= IFNAMSIZ)
goto err_out;
- }
+ sprintf(act_name, "%s", (char*)RTA_DATA(kind));
} else {
printk("Action bad kind\n");
goto err_out;
@@ -503,12 +501,9 @@
goto err_out;
kind = tb[TCA_ACT_KIND-1];
if (kind != NULL) {
- sprintf(act_name, "%s", (char*)RTA_DATA(kind));
- if (RTA_PAYLOAD(kind) >= IFNAMSIZ) {
- printk("tcf_action_get_1: action %s bad\n",
- (char*)RTA_DATA(kind));
+ if (RTA_PAYLOAD(kind) >= IFNAMSIZ)
goto err_out;
- }
+ sprintf(act_name, "%s", (char*)RTA_DATA(kind));
} else {
printk("tcf_action_get_1: action bad kind\n");
goto err_out;
@@ -567,12 +562,9 @@
struct tc_action_ops *a_o = NULL;
if (kind != NULL) {
- sprintf(act_name, "%s", (char*)RTA_DATA(kind));
- if (RTA_PAYLOAD(kind) >= IFNAMSIZ) {
- printk("get_ao: action %s bad\n",
- (char*)RTA_DATA(kind));
+ if (RTA_PAYLOAD(kind) >= IFNAMSIZ)
return NULL;
- }
+ sprintf(act_name, "%s", (char*)RTA_DATA(kind));
} else {
printk("get_ao: action bad kind\n");
return NULL;
|