swconfig: Check vlan/port indexes for validity.

Swconfig needs to make sure that requested vlans/ports actually exist,
else it might read or modify memory not belonging to itself.

This patch adds a quick range check in swconfig's kernel part to
prevent accidential or intentional memory modification.

Signed-off-by: Jonas Gorski <jonas.gorski+openwrt@gmail.com>
SVN-Revision: 20811

diff --git a/target/linux/generic-2.6/files/drivers/net/phy/swconfig.c b/target/linux/generic-2.6/files/drivers/net/phy/swconfig.c
index 7207e4659240b2f611a34036a9342a74d5909a74..bb49df83eb875fc8c427d0dfa59dde3024382ce0 100644 (file)
--- a/target/linux/generic-2.6/files/drivers/net/phy/swconfig.c
+++ b/target/linux/generic-2.6/files/drivers/net/phy/swconfig.c
@@ -463,6 +463,8 @@ swconfig_lookup_attr(struct switch_dev *dev, struct genl_info *info,
                if (!info->attrs[SWITCH_ATTR_OP_VLAN])
                        goto done;
                val->port_vlan = nla_get_u32(info->attrs[SWITCH_ATTR_OP_VLAN]);
                if (!info->attrs[SWITCH_ATTR_OP_VLAN])
                        goto done;
                val->port_vlan = nla_get_u32(info->attrs[SWITCH_ATTR_OP_VLAN]);

+               if (val->port_vlan >= dev->vlans)
+                       goto done;

                break;
        case SWITCH_CMD_SET_PORT:
        case SWITCH_CMD_GET_PORT:
                break;
        case SWITCH_CMD_SET_PORT:
        case SWITCH_CMD_GET_PORT:


@@ -473,6 +475,8 @@ swconfig_lookup_attr(struct switch_dev *dev, struct genl_info *info,
                if (!info->attrs[SWITCH_ATTR_OP_PORT])
                        goto done;
                val->port_vlan = nla_get_u32(info->attrs[SWITCH_ATTR_OP_PORT]);
                if (!info->attrs[SWITCH_ATTR_OP_PORT])
                        goto done;
                val->port_vlan = nla_get_u32(info->attrs[SWITCH_ATTR_OP_PORT]);

+               if (val->port_vlan >= dev->ports)
+                       goto done;

                break;
        default:
                WARN_ON(1);
                break;
        default:
                WARN_ON(1);