Description of problem:
On a 32-bit machine, info.rule_cnt >= 0x40000000 leads to integer overflow and the buffer may be smaller than needed. Since ETHTOOL_GRXCLSRLALL is unprivileged, this can presumably be used for at least denial of service.
ethtool_get_rxnfc() was introduced in v2.6.27-rc1 via:
netdev: Add support for rx flow hash configuration, using ethtool.
Also see, ethtool: Add RX pkt classification interface rxhash->rxnfc
Only the niu (Neptune ethernet) driver uses this ioctl.
This issue did not affect the versions of Linux kernel as shipped with Red Hat
Enterprise Linux 3 and 4, as they do not include support for the Neptune
Ethernet driver. It did not affect Red Hat Enterprise Linux 5 and Red Hat
Enterprise MRG, as they do not contain the upstream commit 0853ad66 that
introduced this flaw.
Patch is now upstream:
kernel-188.8.131.52-147.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.
kernel-184.108.40.206-141.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
Fixed upstream in 2.6.35, 220.127.116.11, 18.104.22.168 and 22.214.171.124
mrg-1.3 [bug #608952]
mrg-1.3 is based on 126.96.36.199, so we already have this fix.