summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTom Quetchenbach <virtualphtn@gmail.com>2008-04-25 01:45:32 -0700
committerGreg Kroah-Hartman <gregkh@suse.de>2008-05-01 14:44:32 -0700
commit36b9699b534c7fa75258426ea137c23f4dca9bc0 (patch)
treedba851434f0c27f0f0f5ad350f8b8941508cc0d7
parent9287ef4c9e3f3d0d9f412f910207b8b77a1e51eb (diff)
downloadlinux-stable-36b9699b534c7fa75258426ea137c23f4dca9bc0.tar.gz
linux-stable-36b9699b534c7fa75258426ea137c23f4dca9bc0.tar.bz2
linux-stable-36b9699b534c7fa75258426ea137c23f4dca9bc0.zip
tcp: tcp_probe buffer overflow and incorrect return value
[ Upstream commit: 8d390efd903485923419584275fd0c2aa4c94183 ] tcp_probe has a bounds-checking bug that causes many programs (less, python) to crash reading /proc/net/tcp_probe. When it outputs a log line to the reader, it only checks if that line alone will fit in the reader's buffer, rather than that line and all the previous lines it has already written. tcpprobe_read also returns the wrong value if copy_to_user fails--it just passes on the return value of copy_to_user (number of bytes not copied), which makes a failure look like a success. This patch fixes the buffer overflow and sets the return value to -EFAULT if copy_to_user fails. Patch is against latest net-2.6; tested briefly and seems to fix the crashes in less and python. Signed-off-by: Tom Quetchenbach <virtualphtn@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-rw-r--r--net/ipv4/tcp_probe.c9
1 files changed, 4 insertions, 5 deletions
diff --git a/net/ipv4/tcp_probe.c b/net/ipv4/tcp_probe.c
index 87dd5bff315f..a79a547464a5 100644
--- a/net/ipv4/tcp_probe.c
+++ b/net/ipv4/tcp_probe.c
@@ -190,19 +190,18 @@ static ssize_t tcpprobe_read(struct file *file, char __user *buf,
width = tcpprobe_sprint(tbuf, sizeof(tbuf));
- if (width < len)
+ if (cnt + width < len)
tcp_probe.tail = (tcp_probe.tail + 1) % bufsize;
spin_unlock_bh(&tcp_probe.lock);
/* if record greater than space available
return partial buffer (so far) */
- if (width >= len)
+ if (cnt + width >= len)
break;
- error = copy_to_user(buf + cnt, tbuf, width);
- if (error)
- break;
+ if (copy_to_user(buf + cnt, tbuf, width))
+ return -EFAULT;
cnt += width;
}