From a3e8ee682003685b8b9c98c89340a42e48c3e813 Mon Sep 17 00:00:00 2001 From: roel kluin Date: Wed, 29 Jul 2009 23:46:59 +0000 Subject: ipv4: ARP neigh procfs buffer overflow If arp_format_neigh_entry() can be called with n->dev->addr_len == 0, then a write to hbuffer[-1] occurs. Signed-off-by: Roel Kluin Signed-off-by: David S. Miller --- net/ipv4/arp.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'net/ipv4') diff --git a/net/ipv4/arp.c b/net/ipv4/arp.c index c29d75d8f1b1..090e9991ac2a 100644 --- a/net/ipv4/arp.c +++ b/net/ipv4/arp.c @@ -1304,7 +1304,9 @@ static void arp_format_neigh_entry(struct seq_file *seq, hbuffer[k++] = hex_asc_lo(n->ha[j]); hbuffer[k++] = ':'; } - hbuffer[--k] = 0; + if (k != 0) + --k; + hbuffer[k] = 0; #if defined(CONFIG_AX25) || defined(CONFIG_AX25_MODULE) } #endif -- cgit v1.2.3