[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[linux-tr] Buffer overrun in /proc/net/tr_rif
cat /proc/net/tr_rif can result in buffer overruns.
Admittedly I only observed this when running my cleaned-up version, but I
think it will still occur in the normal case.
This is the patch I was using - the line numbers probably won't line up
since I've just cut Paul's big-RIF patch out of it.
Cheers
Adrian
diff -ru linux.orig/net/802/tr.c linux/net/802/tr.c
--- linux.orig/net/802/tr.c Wed Mar 31 22:03:57 1999
+++ linux/net/802/tr.c Tue Apr 6 23:31:44 1999
@@ -450,46 +460,34 @@
rif_cache entry;
- size=sprintf(buffer,
+ len+=sprintf(buffer,
"if TR address TTL rcf routing segments\n");
- pos+=size;
- len+=size;
for(i=0;i < RIF_TABLE_SIZE;i++)
{
for(entry=rif_table[i];entry;entry=entry->next) {
- size=sprintf(buffer+len,"%s %02X:%02X:%02X:%02X:%02X:%02X %7li ",
+ len+=sprintf(buffer+len,"%s %02X:%02X:%02X:%02X:%02X:%02X %7li ",
entry->iface,entry->addr[0],entry->addr[1],entry->addr[2],entry->addr[3],entry->addr[4],entry->addr[5],
sysctl_tr_rif_timeout-(now-entry->last_used));
- len+=size;
- pos=begin+len;
if (entry->local_ring)
- size=sprintf(buffer+len,"local\n");
+ len+=sprintf(buffer+len,"local\n");
else {
- size=sprintf(buffer+len,"%04X", ntohs(entry->rcf));
+ len+=sprintf(buffer+len,"%04X", ntohs(entry->rcf));
rcf_len = ((ntohs(entry->rcf) & TR_RCF_LEN_MASK)>>8)-2;
if (rcf_len)
rcf_len >>= 1;
for(j = 1; j < rcf_len; j++) {
if(j==1) {
segment=ntohs(entry->rseg[j-1])>>4;
- len+=size;
- pos=begin+len;
- size=sprintf(buffer+len," %03X",segment);
+ len+=sprintf(buffer+len," %03X",segment);
};
segment=ntohs(entry->rseg[j])>>4;
brdgnmb=ntohs(entry->rseg[j-1])&0x00f;
- len+=size;
- pos=begin+len;
- size=sprintf(buffer+len,"-%01X-%03X",brdgnmb,segment);
+ len+=sprintf(buffer+len,"-%01X-%03X",brdgnmb,segment);
}
- len+=size;
- pos=begin+len;
- size=sprintf(buffer+len,"\n");
+ len+=sprintf(buffer+len,"\n");
}
- len+=size;
pos=begin+len;
-
if(pos<offset)
{
len=0;
@@ -498,8 +496,6 @@
if(pos>offset+length)
break;
}
- if(pos>offset+length)
- break;
}
*start=buffer+(offset-begin); /* Start of wanted data */
Adrian Bridgett <bridgett@hursley.ibm.com>
Internal: 7-245528 External: 01962-815528