Commit d86288b4 authored by Ge Hu's avatar Ge Hu Committed by Xinghai Cen
Browse files

network_mgmt: Security check and modification. 

driver inclusion
category: cleanup
bugzilla: https://gitee.com/openeuler/kernel/issues/IALRBD


CVE: NA

----------------------------------------------------------------------

1.Read only data with const modifier.
2.Use sysfs_imit for output.
3.Place the ndev retrieval before dev_queue_xmit to avoid UAF

Signed-off-by: default avatarGe Hu <huge4@huawei.com>
parent e9437292

drivers/net/ub/dev/network_mgmt/ip_notify/ip_notify.c

+12 −12
Original line number Diff line number Diff line
@@ -23,7 +23,7 @@ 
static struct workqueue_struct *ip_notify_wq;

static int initialized;



u8 ub_dguid[UBL_ALEN] = {0xFF, 0xFF, 0xFF, 0xFF,

const u8 ub_dguid[UBL_ALEN] = {0xFF, 0xFF, 0xFF, 0xFF,

			       0xFF, 0xFF, 0xFF, 0xFF,

			       0xFF, 0xFF, 0xFF, 0xFF,

			       0xFF, 0xFF, 0x01, 0x02};
@@ -41,7 +41,7 @@ static ssize_t good_ipv4_notify_tx_cnt_show(struct kobject *kobj, 
	ipn_ctx = container_of(ipn_attrs, struct ub_nm_ip_notify_ctx, attrs);

	good_ipv4_tx_cnt = atomic64_read(&ipn_ctx->stats.good_ipv4_notify_tx_cnt);



	return sprintf(buf, "0x%llx\n", good_ipv4_tx_cnt);

	return sysfs_emit(buf, "0x%llx\n", good_ipv4_tx_cnt);

}



static ssize_t bad_ipv4_notify_tx_cnt_show(struct kobject *kobj,
@@ -57,7 +57,7 @@ static ssize_t bad_ipv4_notify_tx_cnt_show(struct kobject *kobj, 
	ipn_ctx = container_of(ipn_attrs, struct ub_nm_ip_notify_ctx, attrs);

	bad_ipv4_tx_cnt = atomic64_read(&ipn_ctx->stats.bad_ipv4_notify_tx_cnt);



	return sprintf(buf, "0x%llx\n", bad_ipv4_tx_cnt);

	return sysfs_emit(buf, "0x%llx\n", bad_ipv4_tx_cnt);

}



static ssize_t good_ipv6_notify_tx_cnt_show(struct kobject *kobj,
@@ -73,7 +73,7 @@ static ssize_t good_ipv6_notify_tx_cnt_show(struct kobject *kobj, 
	ipn_ctx = container_of(ipn_attrs, struct ub_nm_ip_notify_ctx, attrs);

	good_ipv6_tx_cnt = atomic64_read(&ipn_ctx->stats.good_ipv6_notify_tx_cnt);



	return sprintf(buf, "0x%llx\n", good_ipv6_tx_cnt);

	return sysfs_emit(buf, "0x%llx\n", good_ipv6_tx_cnt);

}



static ssize_t bad_ipv6_notify_tx_cnt_show(struct kobject *kobj,
@@ -89,7 +89,7 @@ static ssize_t bad_ipv6_notify_tx_cnt_show(struct kobject *kobj, 
	ipn_ctx = container_of(ipn_attrs, struct ub_nm_ip_notify_ctx, attrs);

	bad_ipv6_tx_cnt = atomic64_read(&ipn_ctx->stats.bad_ipv6_notify_tx_cnt);



	return sprintf(buf, "0x%llx\n", bad_ipv6_tx_cnt);

	return sysfs_emit(buf, "0x%llx\n", bad_ipv6_tx_cnt);

}



static ssize_t print_ip_notify_pkt_en_show(struct kobject *kobj,
@@ -105,7 +105,7 @@ static ssize_t print_ip_notify_pkt_en_show(struct kobject *kobj, 
	ipn_ctx = container_of(ipn_attrs, struct ub_nm_ip_notify_ctx, attrs);

	status = ipn_ctx->ctls.print_ip_notify_pkt_en;



	return sprintf(buf, "%u\n", status);

	return sysfs_emit(buf, "%u\n", status);

}



static ssize_t print_ip_notify_pkt_en_store(struct kobject *kobj,
@@ -450,10 +450,9 @@ struct sk_buff *ub_ipv6_create_ip_notify_pkt(struct net_device *ndev, 
	return skb;

}



static void ub_update_tx_stats(int ptype, struct sk_buff *skb, int rc)

static void ub_update_tx_stats(int ptype, struct net_device *ndev, int rc)

{

	struct list_head *dev_list = ub_nm_get_dev_list();

	struct net_device *ndev = skb->dev;

	struct ub_nm_device *nm_dev;



	ub_nm_down_read();
@@ -487,10 +486,11 @@ static void ub_update_tx_stats(int ptype, struct sk_buff *skb, int rc) 


static void ub_xmit_ip_notify_pkt(int ptype, struct sk_buff *skb)

{

	struct net_device *ndev = skb->dev;

	int rc;



	rc = dev_queue_xmit(skb);

	ub_update_tx_stats(ptype, skb, rc);

	ub_update_tx_stats(ptype, ndev, rc);

}



static void ub_ipv4_send_ip_notify(struct net_device *ndev,

drivers/net/ub/dev/network_mgmt/network_mgmt.c

+2 −2
Original line number Diff line number Diff line
@@ -118,10 +118,10 @@ static int ub_nm_add_device(struct net_device *ndev) 
static void ub_nm_del_device(struct net_device *ndev)

{

	struct list_head *dev_list = ub_nm_get_dev_list();

	struct ub_nm_device *nm_dev;

	struct ub_nm_device *nm_dev, *tmp;



	ub_nm_down_write();

	list_for_each_entry(nm_dev, dev_list, nm_dev_list) {

	list_for_each_entry_safe(nm_dev, tmp, dev_list, nm_dev_list) {

		if (nm_dev->ndev != ndev)

			continue;