From 757010f026ab3044c594003e216d00a33ed95c56 Mon Sep 17 00:00:00 2001 From: "Eric W. Biederman" Date: Thu, 12 Nov 2009 01:39:06 -0800 Subject: sysctl binary: Reorder the tests to process wild card entries first. A malicious user could have passed in a ctl_name of 0 and triggered the well know ctl_name to procname mapping code, instead of the wild card matching code. This is a slight problem as wild card entries don't have procnames, and because in some alternate universe a network device might have ifindex 0. So test for and handle wild card entries first. Signed-off-by: Eric W. Biederman --- kernel/sysctl_binary.c | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) (limited to 'kernel/sysctl_binary.c') diff --git a/kernel/sysctl_binary.c b/kernel/sysctl_binary.c index 0cf60400542d..b75dbf40f573 100644 --- a/kernel/sysctl_binary.c +++ b/kernel/sysctl_binary.c @@ -1269,17 +1269,12 @@ repeat: for ( ; table->convert; table++) { int len = 0; - /* Use the well known sysctl number to proc name mapping */ - if (ctl_name == table->ctl_name) { - len = strlen(table->procname); - memcpy(path, table->procname, len); - } -#ifdef CONFIG_NET /* * For a wild card entry map from ifindex to network * device name. */ - else if (!table->ctl_name) { + if (!table->ctl_name) { +#ifdef CONFIG_NET struct net *net = current->nsproxy->net_ns; struct net_device *dev; dev = dev_get_by_index(net, ctl_name); @@ -1288,8 +1283,12 @@ repeat: memcpy(path, dev->name, len); dev_put(dev); } - } #endif + /* Use the well known sysctl number to proc name mapping */ + } else if (ctl_name == table->ctl_name) { + len = strlen(table->procname); + memcpy(path, table->procname, len); + } if (len) { path += len; if (table->child) { -- cgit v1.2.3-59-g8ed1b