diff options
| author | Tim Serong <tserong@suse.com> | 2012-09-18 20:01:53 +1000 |
|---|---|---|
| committer | Simon Horman <horms@verge.net.au> | 2013-05-22 15:04:55 +0900 |
| commit | 2e3d1f61c9ceea2c87143ca603ffffa6f86e57d5 (patch) | |
| tree | d5d154b77b09f6d440d7806d41aabe63d40301d0 | |
| parent | 6035c45b8550febd05eeba6ae2bb0b5e72d92bf6 (diff) | |
| download | ipvsadm-2e3d1f61c9ceea2c87143ca603ffffa6f86e57d5.tar.gz | |
ipvsadm: Fix buffer overrun in ipvs_dests_parse_cb()
The attrs and dest_attrs arrays in ipvs_dest_parse_cb() seem to be using
the wrong defines for their length. This resulted in a buffer overrun
corrupting EBX, which later caused a segfault running 'ipvsadm -Ln' on
32 bit intel (SLES 11 SP2).
Signed-off-by: Tim Serong <tserong@suse.com>
Signed-off-by: Simon Horman <horms@verge.net.au>
| -rw-r--r-- | libipvs/ip_vs.h | 2 | ||||
| -rw-r--r-- | libipvs/libipvs.c | 4 |
2 files changed, 3 insertions, 3 deletions
diff --git a/libipvs/ip_vs.h b/libipvs/ip_vs.h index 9726a17..5e1d544 100644 --- a/libipvs/ip_vs.h +++ b/libipvs/ip_vs.h @@ -413,7 +413,7 @@ enum { __IPVS_CMD_ATTR_MAX, }; -#define IPVS_CMD_ATTR_MAX (__IPVS_SVC_ATTR_MAX - 1) +#define IPVS_CMD_ATTR_MAX (__IPVS_CMD_ATTR_MAX - 1) /* * Attributes used to describe a service diff --git a/libipvs/libipvs.c b/libipvs/libipvs.c index a157e18..be34dbc 100644 --- a/libipvs/libipvs.c +++ b/libipvs/libipvs.c @@ -726,8 +726,8 @@ ipvs_sort_services(struct ip_vs_get_services *s, ipvs_service_cmp_t f) static int ipvs_dests_parse_cb(struct nl_msg *msg, void *arg) { struct nlmsghdr *nlh = nlmsg_hdr(msg); - struct nlattr *attrs[IPVS_DEST_ATTR_MAX + 1]; - struct nlattr *dest_attrs[IPVS_SVC_ATTR_MAX + 1]; + struct nlattr *attrs[IPVS_CMD_ATTR_MAX + 1]; + struct nlattr *dest_attrs[IPVS_DEST_ATTR_MAX + 1]; struct ip_vs_get_dests **dp = (struct ip_vs_get_dests **)arg; struct ip_vs_get_dests *d = (struct ip_vs_get_dests *)*dp; int i = d->num_dests; |