vapier 15/04/20 20:51:19 Added: iproute2-4.0.0-tc-show-buffer-overflow.patch Log: Add fix from upstream for buffer overflows when running `tc qdisc show` #546928 by jamesrutledge. (Portage version: 2.2.18/cvs/Linux x86_64, signed Manifest commit with key D2E96200)
Revision Changes Path 1.1 sys-apps/iproute2/files/iproute2-4.0.0-tc-show-buffer-overflow.patch file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/sys-apps/iproute2/files/iproute2-4.0.0-tc-show-buffer-overflow.patch?rev=1.1&view=markup plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/sys-apps/iproute2/files/iproute2-4.0.0-tc-show-buffer-overflow.patch?rev=1.1&content-type=text/plain Index: iproute2-4.0.0-tc-show-buffer-overflow.patch =================================================================== https://bugs.gentoo.org/546928 >From 46679bbbe89699016d31486de7599590d02a5054 Mon Sep 17 00:00:00 2001 From: Vadim Kochan <[email protected]> Date: Mon, 20 Apr 2015 08:33:32 +0300 Subject: [PATCH] tc util: Fix possible buffer overflow when print class id Use correct handle buffer length. Signed-off-by: Vadim Kochan <[email protected]> --- tc/tc_util.c | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/tc/tc_util.c b/tc/tc_util.c index 1d3153d..dc2b70f 100644 --- a/tc/tc_util.c +++ b/tc/tc_util.c @@ -128,30 +128,31 @@ ok: return 0; } -int print_tc_classid(char *buf, int len, __u32 h) +int print_tc_classid(char *buf, int blen, __u32 h) { - char handle[40] = {}; + SPRINT_BUF(handle) = {}; + int hlen = SPRINT_BSIZE - 1; if (h == TC_H_ROOT) sprintf(handle, "root"); else if (h == TC_H_UNSPEC) - snprintf(handle, len, "none"); + snprintf(handle, hlen, "none"); else if (TC_H_MAJ(h) == 0) - snprintf(handle, len, ":%x", TC_H_MIN(h)); + snprintf(handle, hlen, ":%x", TC_H_MIN(h)); else if (TC_H_MIN(h) == 0) - snprintf(handle, len, "%x:", TC_H_MAJ(h) >> 16); + snprintf(handle, hlen, "%x:", TC_H_MAJ(h) >> 16); else - snprintf(handle, len, "%x:%x", TC_H_MAJ(h) >> 16, TC_H_MIN(h)); + snprintf(handle, hlen, "%x:%x", TC_H_MAJ(h) >> 16, TC_H_MIN(h)); if (use_names) { char clname[IDNAME_MAX] = {}; if (id_to_name(cls_names, h, clname)) - snprintf(buf, len, "%s#%s", clname, handle); + snprintf(buf, blen, "%s#%s", clname, handle); else - snprintf(buf, len, "%s", handle); + snprintf(buf, blen, "%s", handle); } else { - snprintf(buf, len, "%s", handle); + snprintf(buf, blen, "%s", handle); } return 0; -- 2.3.5
