[DECNet] fib: Fix out of bound access of dn_fib_props[]

Backported from 2.6. Found and fixed from Thomas Graf :

Fixes a typo which caused fib_props[] to have the wrong size
and makes sure the value used to index the array which is
provided by userspace via netlink is checked to avoid out of
bound access.

Signed-off-by: Thomas Graf <tgraf@suug.ch>

diff --git a/net/decnet/dn_fib.c b/net/decnet/dn_fib.c
index 59a1c9f..6c42818 100644 (file)
--- a/net/decnet/dn_fib.c
+++ b/net/decnet/dn_fib.c
@@ -61,7 +61,7 @@ static struct
 {
        int error;
        u8 scope;
-} dn_fib_props[RTA_MAX+1] = {
+} dn_fib_props[RTN_MAX+1] = {
        { 0, RT_SCOPE_NOWHERE },                /* RTN_UNSPEC */
        { 0, RT_SCOPE_UNIVERSE },               /* RTN_UNICAST */
        { 0, RT_SCOPE_HOST },                   /* RTN_LOCAL */
@@ -257,6 +257,9 @@ struct dn_fib_info *dn_fib_create_info(const struct rtmsg *r, struct dn_kern_rta
        struct dn_fib_info *ofi;
        int nhs = 1;
 
+       if (r->rtm_type > RTN_MAX)
+               goto err_inval;
+
        if (dn_fib_props[r->rtm_type].scope > r->rtm_scope)
                goto err_inval;