Prev: [105/145] sunxvr500: Additional PCI id for sunxvr500 driver
Next: [075/145] ALSA: via82xx: add quirk for D1289 motherboard
From: Greg KH on 12 Mar 2010 19:40
2.6.32-stable review patch. If anyone has any objections, please let me know.

----------------
From: Tim Gardner <tim.gardner(a)canonical.com>

commit 2c08522e5d2f0af2d6f05be558946dcbf8173683 upstream.

e->index overflows e->stamps[] every ip_pkt_list_tot packets.

Consider the case when ip_pkt_list_tot==1; the first packet received is stored
in e->stamps[0] and e->index is initialized to 1. The next received packet
timestamp is then stored at e->stamps[1] in recent_entry_update(),
a buffer overflow because the maximum e->stamps[] index is 0.

Signed-off-by: Tim Gardner <tim.gardner(a)canonical.com>
Signed-off-by: Patrick McHardy <kaber(a)trash.net>
Signed-off-by: Greg Kroah-Hartman <gregkh(a)suse.de>

---
net/netfilter/xt_recent.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/netfilter/xt_recent.c
+++ b/net/netfilter/xt_recent.c
@@ -173,10 +173,10 @@ recent_entry_init(struct recent_table *t

static void recent_entry_update(struct recent_table *t, struct recent_entry *e)
{
+ e->index %= ip_pkt_list_tot;
e->stamps[e->index++] = jiffies;
if (e->index > e->nstamps)
e->nstamps = e->index;
- e->index %= ip_pkt_list_tot;
list_move_tail(&e->lru_list, &t->lru_list);
}



--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo(a)vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
 | 
Pages: 1
Prev: [105/145] sunxvr500: Additional PCI id for sunxvr500 driver
Next: [075/145] ALSA: via82xx: add quirk for D1289 motherboard