From: juhosg <juhosg@3c298f89-4303-0410-b956-a3cf2f4a3e73>
Date: Sun, 20 Jun 2010 05:42:38 +0000 (+0000)
Subject: backfire: [kernel] swconfig: Check vlan/port indexes for validity. (backport of r20811)
X-Git-Url: http://git.ozo.com/?p=openwrt-10.03%2F.git;a=commitdiff_plain;h=445022bc75f1570f02e5e239b194223a18ad22d3

backfire: [kernel] swconfig: Check vlan/port indexes for validity. (backport of r20811)

Swconfig needs to make sure that requested vlans/ports actually exist,
else it might read or modify memory not belonging to itself.

This patch adds a quick range check in swconfig's kernel part to
prevent accidential or intentional memory modification.

Signed-off-by: Jonas Gorski <jonas.gorski+openwrt@gmail.com>


git-svn-id: svn://svn.openwrt.org/openwrt/branches/backfire@21846 3c298f89-4303-0410-b956-a3cf2f4a3e73
---

diff --git a/target/linux/generic-2.6/files/drivers/net/phy/swconfig.c b/target/linux/generic-2.6/files/drivers/net/phy/swconfig.c
index 4ca4ea32f..1eebe87e5 100644
--- a/target/linux/generic-2.6/files/drivers/net/phy/swconfig.c
+++ b/target/linux/generic-2.6/files/drivers/net/phy/swconfig.c
@@ -463,6 +463,8 @@ swconfig_lookup_attr(struct switch_dev *dev, struct genl_info *info,
 		if (!info->attrs[SWITCH_ATTR_OP_VLAN])
 			goto done;
 		val->port_vlan = nla_get_u32(info->attrs[SWITCH_ATTR_OP_VLAN]);
+		if (val->port_vlan >= dev->vlans)
+			goto done;
 		break;
 	case SWITCH_CMD_SET_PORT:
 	case SWITCH_CMD_GET_PORT:
@@ -473,6 +475,8 @@ swconfig_lookup_attr(struct switch_dev *dev, struct genl_info *info,
 		if (!info->attrs[SWITCH_ATTR_OP_PORT])
 			goto done;
 		val->port_vlan = nla_get_u32(info->attrs[SWITCH_ATTR_OP_PORT]);
+		if (val->port_vlan >= dev->ports)
+			goto done;
 		break;
 	default:
 		WARN_ON(1);