Hi everyone,
I noticed that the function __dev_set_promiscuity() does not check the
inc parameter properly.
Like nice little soldiers, we always used this function like this to
drop the promiscuity on a device :
__dev_set_promiscuity(dev, -1);
But nothing forbids to code something like:
__dev_set_promiscuity(dev, -5);
If the promiscuity reference counter is lower than 5 then the value
underflows (because dev->promiscuity is unsigned int).
Here is a proposed patch to report elegantly when such situation would
occur.
Regards,
Emmanuel Roullit
Signed-off-by: Emmanuel Roullit <emmanuel@xxxxxxxxxxxxxxx>
diff --git a/net/core/dev.c b/net/core/dev.c
index f769098..f49dbde 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -3591,6 +3591,13 @@ static int __dev_set_promiscuity(struct net_device *dev, int inc)
ASSERT_RTNL();
+ if (inc < 0 && -inc > dev->promiscuity) {
+ printk(KERN_WARNING "%s: promiscuity touches bottom, "
+ "set promiscuity failed, promiscuity feature "
+ "of device might be broken.\n", dev->name);
+ return -EOVERFLOW;
+ }
+
dev->flags |= IFF_PROMISC;
dev->promiscuity += inc;
if (dev->promiscuity == 0) {
--
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
