forked from luck/tmp_suning_uos_patched
sysctl binary: Reorder the tests to process wild card entries first.
A malicious user could have passed in a ctl_name of 0 and triggered the well know ctl_name to procname mapping code, instead of the wild card matching code. This is a slight problem as wild card entries don't have procnames, and because in some alternate universe a network device might have ifindex 0. So test for and handle wild card entries first. Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
This commit is contained in:
parent
63395b6597
commit
757010f026
|
@ -1269,17 +1269,12 @@ static const struct bin_table *get_sysctl(const int *name, int nlen, char *path)
|
|||
for ( ; table->convert; table++) {
|
||||
int len = 0;
|
||||
|
||||
/* Use the well known sysctl number to proc name mapping */
|
||||
if (ctl_name == table->ctl_name) {
|
||||
len = strlen(table->procname);
|
||||
memcpy(path, table->procname, len);
|
||||
}
|
||||
#ifdef CONFIG_NET
|
||||
/*
|
||||
* For a wild card entry map from ifindex to network
|
||||
* device name.
|
||||
*/
|
||||
else if (!table->ctl_name) {
|
||||
if (!table->ctl_name) {
|
||||
#ifdef CONFIG_NET
|
||||
struct net *net = current->nsproxy->net_ns;
|
||||
struct net_device *dev;
|
||||
dev = dev_get_by_index(net, ctl_name);
|
||||
|
@ -1288,8 +1283,12 @@ static const struct bin_table *get_sysctl(const int *name, int nlen, char *path)
|
|||
memcpy(path, dev->name, len);
|
||||
dev_put(dev);
|
||||
}
|
||||
}
|
||||
#endif
|
||||
/* Use the well known sysctl number to proc name mapping */
|
||||
} else if (ctl_name == table->ctl_name) {
|
||||
len = strlen(table->procname);
|
||||
memcpy(path, table->procname, len);
|
||||
}
|
||||
if (len) {
|
||||
path += len;
|
||||
if (table->child) {
|
||||
|
|
Loading…
Reference in New Issue
Block a user