summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorEric W. Biederman <ebiederm@xmission.com>2009-11-12 01:39:06 -0800
committerEric W. Biederman <ebiederm@xmission.com>2009-11-12 01:42:31 -0800
commit757010f026ab3044c594003e216d00a33ed95c56 (patch)
tree4e9d44c52c34c09b5a347688af20840be7a1c61a
parent63395b65972c07edce595c9cc8a983016738cdac (diff)
downloadlwn-757010f026ab3044c594003e216d00a33ed95c56.tar.gz
lwn-757010f026ab3044c594003e216d00a33ed95c56.zip
sysctl binary: Reorder the tests to process wild card entries first.
A malicious user could have passed in a ctl_name of 0 and triggered the well know ctl_name to procname mapping code, instead of the wild card matching code. This is a slight problem as wild card entries don't have procnames, and because in some alternate universe a network device might have ifindex 0. So test for and handle wild card entries first. Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
-rw-r--r--kernel/sysctl_binary.c15
1 files changed, 7 insertions, 8 deletions
diff --git a/kernel/sysctl_binary.c b/kernel/sysctl_binary.c
index 0cf60400542d..b75dbf40f573 100644
--- a/kernel/sysctl_binary.c
+++ b/kernel/sysctl_binary.c
@@ -1269,17 +1269,12 @@ repeat:
for ( ; table->convert; table++) {
int len = 0;
- /* Use the well known sysctl number to proc name mapping */
- if (ctl_name == table->ctl_name) {
- len = strlen(table->procname);
- memcpy(path, table->procname, len);
- }
-#ifdef CONFIG_NET
/*
* For a wild card entry map from ifindex to network
* device name.
*/
- else if (!table->ctl_name) {
+ if (!table->ctl_name) {
+#ifdef CONFIG_NET
struct net *net = current->nsproxy->net_ns;
struct net_device *dev;
dev = dev_get_by_index(net, ctl_name);
@@ -1288,8 +1283,12 @@ repeat:
memcpy(path, dev->name, len);
dev_put(dev);
}
- }
#endif
+ /* Use the well known sysctl number to proc name mapping */
+ } else if (ctl_name == table->ctl_name) {
+ len = strlen(table->procname);
+ memcpy(path, table->procname, len);
+ }
if (len) {
path += len;
if (table->child) {