From patchwork Sat Feb 12 22:48:11 2011 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Linus_L=C3=BCssing?= X-Patchwork-Id: 801 Return-Path: Received: from fmmailgate02.web.de (fmmailgate02.web.de [217.72.192.227]) by open-mesh.org (Postfix) with ESMTP id 69A1715416B for ; Sat, 12 Feb 2011 23:48:42 +0100 (CET) Received: from smtp01.web.de ( [172.20.0.243]) by fmmailgate02.web.de (Postfix) with ESMTP id BAA5C19731C6C; Sat, 12 Feb 2011 23:48:21 +0100 (CET) Received: from [46.126.246.98] (helo=localhost) by smtp01.web.de with asmtp (TLSv1:AES128-SHA:128) (WEB.DE 4.110 #24) id 1PoOGL-0004md-00; Sat, 12 Feb 2011 23:48:21 +0100 From: =?UTF-8?q?Linus=20L=C3=BCssing?= To: b.a.t.m.a.n@lists.open-mesh.org Date: Sat, 12 Feb 2011 23:48:11 +0100 Message-Id: <1297550891-18231-1-git-send-email-linus.luessing@ascom.ch> X-Mailer: git-send-email 1.7.2.3 MIME-Version: 1.0 Sender: linus.luessing@web.de X-Sender: linus.luessing@web.de X-Provags-ID: V01U2FsdGVkX1/mv5ff5gNzndUwpDhKWkfsJglCA+2c9Rz2WYRg hc/Z77eGB/wyzXKD4wxYSEtB5ohl7HWbAK2YXjXddcU26K5iLw rUqBvTANgdIVtCFvUxuQ== Cc: =?UTF-8?q?Linus=20L=C3=BCssing?= Subject: [B.A.T.M.A.N.] [PATCH] batman-adv: Fix possible buffer overflow in softif neigh list output X-BeenThere: b.a.t.m.a.n@lists.open-mesh.org X-Mailman-Version: 2.1.13 Precedence: list Reply-To: The list for a Better Approach To Mobile Ad-hoc Networking List-Id: The list for a Better Approach To Mobile Ad-hoc Networking List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Feb 2011 22:48:42 -0000 When printing the soft interface table the number of entries in the softif neigh list are first being counted and a fitting buffer allocated. After that the softif neigh list gets locked again and the buffer printed - which has the following two issues: For one thing, the softif neigh list might have grown when reacquiring the rcu lock, which results in writing outside of the allocated buffer. For another, only 30 Bytes per soft interface neighbor are allocated, but up to 31 Bytes get copied into the buffer which leads to a buffer overflow again if the vid needs more than one digit. Furthermore 31 Bytes are not enough for printing an entry with a vid of more than 2 digits. The manual buffering is unnecessary, we can safely print to the seq directly during the rcu_read_lock(). Signed-off-by: Linus Lüssing --- soft-interface.c | 22 +--------------------- 1 files changed, 1 insertions(+), 21 deletions(-) diff --git a/soft-interface.c b/soft-interface.c index bd8b539..e543d09 100644 --- a/soft-interface.c +++ b/soft-interface.c @@ -173,8 +173,6 @@ int softif_neigh_seq_print_text(struct seq_file *seq, void *offset) struct bat_priv *bat_priv = netdev_priv(net_dev); struct softif_neigh *softif_neigh; struct hlist_node *node; - size_t buf_size, pos; - char *buff; if (!bat_priv->primary_if) { return seq_printf(seq, "BATMAN mesh %s disabled - " @@ -184,33 +182,15 @@ int softif_neigh_seq_print_text(struct seq_file *seq, void *offset) seq_printf(seq, "Softif neighbor list (%s)\n", net_dev->name); - buf_size = 1; - /* Estimate length for: " xx:xx:xx:xx:xx:xx\n" */ rcu_read_lock(); hlist_for_each_entry_rcu(softif_neigh, node, &bat_priv->softif_neigh_list, list) - buf_size += 30; - rcu_read_unlock(); - - buff = kmalloc(buf_size, GFP_ATOMIC); - if (!buff) - return -ENOMEM; - - buff[0] = '\0'; - pos = 0; - - rcu_read_lock(); - hlist_for_each_entry_rcu(softif_neigh, node, - &bat_priv->softif_neigh_list, list) { - pos += snprintf(buff + pos, 31, "%s %pM (vid: %d)\n", + seq_printf(seq, "%s %pM (vid: %d)\n", bat_priv->softif_neigh == softif_neigh ? "=>" : " ", softif_neigh->addr, softif_neigh->vid); - } rcu_read_unlock(); - seq_printf(seq, "%s", buff); - kfree(buff); return 0; }