Commit c1e98f7d authored by Chris Wright's avatar Chris Wright Committed by David S. Miller

[IPV4/IPV6]: IGMP source filter fixes

When adding or deleting from the source list make sure to find matches
by comparing against the new source address, not the group address.
Also, check each addr in the list rather than just the first one.
And, finally, only delete from list when there's a match rather than
vice-versa.  Drop the effort to keep list sorted, since it's not done
on full-state api and can create an sl_addr entry that the delta api
won't be able to delete. Without these fixes sl_count can be corrupted
which can allow for kernel memory corruption.
Signed-off-by: default avatarChris Wright <chrisw@osdl.org>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 66e57dd8
...@@ -1778,12 +1778,12 @@ int ip_mc_source(int add, int omode, struct sock *sk, struct ...@@ -1778,12 +1778,12 @@ int ip_mc_source(int add, int omode, struct sock *sk, struct
goto done; goto done;
rv = !0; rv = !0;
for (i=0; i<psl->sl_count; i++) { for (i=0; i<psl->sl_count; i++) {
rv = memcmp(&psl->sl_addr, &mreqs->imr_multiaddr, rv = memcmp(&psl->sl_addr[i], &mreqs->imr_sourceaddr,
sizeof(__u32)); sizeof(__u32));
if (rv >= 0) if (rv == 0)
break; break;
} }
if (!rv) /* source not found */ if (rv) /* source not found */
goto done; goto done;
/* update the interface filter */ /* update the interface filter */
...@@ -1825,9 +1825,9 @@ int ip_mc_source(int add, int omode, struct sock *sk, struct ...@@ -1825,9 +1825,9 @@ int ip_mc_source(int add, int omode, struct sock *sk, struct
} }
rv = 1; /* > 0 for insert logic below if sl_count is 0 */ rv = 1; /* > 0 for insert logic below if sl_count is 0 */
for (i=0; i<psl->sl_count; i++) { for (i=0; i<psl->sl_count; i++) {
rv = memcmp(&psl->sl_addr, &mreqs->imr_multiaddr, rv = memcmp(&psl->sl_addr[i], &mreqs->imr_sourceaddr,
sizeof(__u32)); sizeof(__u32));
if (rv >= 0) if (rv == 0)
break; break;
} }
if (rv == 0) /* address already there is an error */ if (rv == 0) /* address already there is an error */
......
...@@ -391,12 +391,12 @@ int ip6_mc_source(int add, int omode, struct sock *sk, ...@@ -391,12 +391,12 @@ int ip6_mc_source(int add, int omode, struct sock *sk,
goto done; goto done;
rv = !0; rv = !0;
for (i=0; i<psl->sl_count; i++) { for (i=0; i<psl->sl_count; i++) {
rv = memcmp(&psl->sl_addr, group, rv = memcmp(&psl->sl_addr[i], source,
sizeof(struct in6_addr)); sizeof(struct in6_addr));
if (rv >= 0) if (rv == 0)
break; break;
} }
if (!rv) /* source not found */ if (rv) /* source not found */
goto done; goto done;
/* update the interface filter */ /* update the interface filter */
...@@ -437,8 +437,8 @@ int ip6_mc_source(int add, int omode, struct sock *sk, ...@@ -437,8 +437,8 @@ int ip6_mc_source(int add, int omode, struct sock *sk,
} }
rv = 1; /* > 0 for insert logic below if sl_count is 0 */ rv = 1; /* > 0 for insert logic below if sl_count is 0 */
for (i=0; i<psl->sl_count; i++) { for (i=0; i<psl->sl_count; i++) {
rv = memcmp(&psl->sl_addr, group, sizeof(struct in6_addr)); rv = memcmp(&psl->sl_addr[i], source, sizeof(struct in6_addr));
if (rv >= 0) if (rv == 0)
break; break;
} }
if (rv == 0) /* address already there is an error */ if (rv == 0) /* address already there is an error */
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment