[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[linux-tr] Buffer overrun in /proc/net/tr_rif



cat /proc/net/tr_rif can result in buffer overruns.

Admittedly I only observed this when running my cleaned-up version, but I
think it will still occur in the normal case.

This is the patch I was using - the line numbers probably won't line up
since I've just cut Paul's big-RIF patch out of it.

Cheers

Adrian

diff -ru linux.orig/net/802/tr.c linux/net/802/tr.c
--- linux.orig/net/802/tr.c	Wed Mar 31 22:03:57 1999
+++ linux/net/802/tr.c	Tue Apr  6 23:31:44 1999
@@ -450,46 +460,34 @@
 
 	rif_cache entry;
 
-	size=sprintf(buffer,
+	len+=sprintf(buffer,
 		     "if     TR address       TTL   rcf   routing segments\n");
-	pos+=size;
-	len+=size;
 
 	for(i=0;i < RIF_TABLE_SIZE;i++) 
 	{
 		for(entry=rif_table[i];entry;entry=entry->next) {
-			size=sprintf(buffer+len,"%s %02X:%02X:%02X:%02X:%02X:%02X %7li ",
+			len+=sprintf(buffer+len,"%s %02X:%02X:%02X:%02X:%02X:%02X %7li ",
 				     entry->iface,entry->addr[0],entry->addr[1],entry->addr[2],entry->addr[3],entry->addr[4],entry->addr[5],
 				     sysctl_tr_rif_timeout-(now-entry->last_used));
-			len+=size;
-			pos=begin+len;
 			if (entry->local_ring)
-			        size=sprintf(buffer+len,"local\n");
+			        len+=sprintf(buffer+len,"local\n");
 			else {
-			        size=sprintf(buffer+len,"%04X", ntohs(entry->rcf));
+			        len+=sprintf(buffer+len,"%04X", ntohs(entry->rcf));
 				rcf_len = ((ntohs(entry->rcf) & TR_RCF_LEN_MASK)>>8)-2; 
 				if (rcf_len)
 				        rcf_len >>= 1;
 				for(j = 1; j < rcf_len; j++) {
 					if(j==1) {
 						segment=ntohs(entry->rseg[j-1])>>4;
-						len+=size;
-						pos=begin+len;
-						size=sprintf(buffer+len,"  %03X",segment);
+						len+=sprintf(buffer+len,"  %03X",segment);
 					};
 					segment=ntohs(entry->rseg[j])>>4;
 					brdgnmb=ntohs(entry->rseg[j-1])&0x00f;
-					len+=size;
-					pos=begin+len;
-					size=sprintf(buffer+len,"-%01X-%03X",brdgnmb,segment);
+					len+=sprintf(buffer+len,"-%01X-%03X",brdgnmb,segment);
 				}
-				len+=size;
-				pos=begin+len;
-			        size=sprintf(buffer+len,"\n");
+			        len+=sprintf(buffer+len,"\n");
 			}
-			len+=size;
 			pos=begin+len;
-
 			if(pos<offset) 
 			{
 				len=0;
@@ -498,8 +496,6 @@
 			if(pos>offset+length)
 				break;
 	   	}
-		if(pos>offset+length)
-			break;
 	}
 
 	*start=buffer+(offset-begin); /* Start of wanted data */


Adrian Bridgett <bridgett@hursley.ibm.com>
Internal: 7-245528  External: 01962-815528