提交 757010f0 编写于 作者: E Eric W. Biederman

sysctl binary: Reorder the tests to process wild card entries first.

A malicious user could have passed in a ctl_name of 0 and triggered
the well know ctl_name to procname mapping code, instead of the wild
card matching code.  This is a slight problem as wild card entries don't
have procnames, and because in some alternate universe a network device
might have ifindex 0.  So test for and handle wild card entries first.
Signed-off-by: NEric W. Biederman <ebiederm@xmission.com>
上级 63395b65
......@@ -1269,17 +1269,12 @@ static const struct bin_table *get_sysctl(const int *name, int nlen, char *path)
for ( ; table->convert; table++) {
int len = 0;
/* Use the well known sysctl number to proc name mapping */
if (ctl_name == table->ctl_name) {
len = strlen(table->procname);
memcpy(path, table->procname, len);
}
#ifdef CONFIG_NET
/*
* For a wild card entry map from ifindex to network
* device name.
*/
else if (!table->ctl_name) {
if (!table->ctl_name) {
#ifdef CONFIG_NET
struct net *net = current->nsproxy->net_ns;
struct net_device *dev;
dev = dev_get_by_index(net, ctl_name);
......@@ -1288,8 +1283,12 @@ static const struct bin_table *get_sysctl(const int *name, int nlen, char *path)
memcpy(path, dev->name, len);
dev_put(dev);
}
}
#endif
/* Use the well known sysctl number to proc name mapping */
} else if (ctl_name == table->ctl_name) {
len = strlen(table->procname);
memcpy(path, table->procname, len);
}
if (len) {
path += len;
if (table->child) {
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册