Backported from 2.6. Found and fixed from Thomas Graf :
Fixes a typo which caused fib_props[] to have the wrong size
and makes sure the value used to index the array which is
provided by userspace via netlink is checked to avoid out of
bound access.
Signed-off-by: Thomas Graf <tgraf@suug.ch>
{
int error;
u8 scope;
-} dn_fib_props[RTA_MAX+1] = {
+} dn_fib_props[RTN_MAX+1] = {
{ 0, RT_SCOPE_NOWHERE }, /* RTN_UNSPEC */
{ 0, RT_SCOPE_UNIVERSE }, /* RTN_UNICAST */
{ 0, RT_SCOPE_HOST }, /* RTN_LOCAL */
struct dn_fib_info *ofi;
int nhs = 1;
+ if (r->rtm_type > RTN_MAX)
+ goto err_inval;
+
if (dn_fib_props[r->rtm_type].scope > r->rtm_scope)
goto err_inval;