sysctl binary: Reorder the tests to process wild card entries first.
A malicious user could have passed in a ctl_name of 0 and triggered
the well know ctl_name to procname mapping code, instead of the wild
card matching code. This is a slight problem as wild card entries don't
have procnames, and because in some alternate universe a network device
might have ifindex 0. So test for and handle wild card entries first.
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
diff --git a/kernel/sysctl_binary.c b/kernel/sysctl_binary.c
index 0cf6040..b75dbf4 100644
--- a/kernel/sysctl_binary.c
+++ b/kernel/sysctl_binary.c
@@ -1269,17 +1269,12 @@
for ( ; table->convert; table++) {
int len = 0;
- /* Use the well known sysctl number to proc name mapping */
- if (ctl_name == table->ctl_name) {
- len = strlen(table->procname);
- memcpy(path, table->procname, len);
- }
-#ifdef CONFIG_NET
/*
* For a wild card entry map from ifindex to network
* device name.
*/
- else if (!table->ctl_name) {
+ if (!table->ctl_name) {
+#ifdef CONFIG_NET
struct net *net = current->nsproxy->net_ns;
struct net_device *dev;
dev = dev_get_by_index(net, ctl_name);
@@ -1288,8 +1283,12 @@
memcpy(path, dev->name, len);
dev_put(dev);
}
- }
#endif
+ /* Use the well known sysctl number to proc name mapping */
+ } else if (ctl_name == table->ctl_name) {
+ len = strlen(table->procname);
+ memcpy(path, table->procname, len);
+ }
if (len) {
path += len;
if (table->child) {