Message ID | 20081221134218.GA7959@localhost.localdomain |
---|---|
State | Accepted, archived |
Delegated to: | David Miller |
Headers | show |
On Sun, Dec 21, 2008 at 2:42 PM, Vegard Nossum <vegard.nossum@gmail.com> wrote: > From bb805d89e84ddb11c9bb58afcfd9a6b37bbe5a9b Mon Sep 17 00:00:00 2001 > From: Vegard Nossum <vegard.nossum@gmail.com> > Date: Sun, 21 Dec 2008 14:20:49 +0100 > Subject: [PATCH] netlink: fix (theoretical) overrun in message iteration > > See commit 1045b03e07d85f3545118510a587035536030c1c for a detailed > explanation of why this patch is necessary. > > In short, nlmsg_next() can make "remaining" go negative, and the > remaining >= sizeof(...) comparison will promote "remaining" to an > unsigned type, which means that the expression will evaluate to > true for negative numbers, even though it was not intended. > > I put "theoretical" in the title because I have no evidence that > this can actually happen, but I suspect that a crafted netlink > packet can trigger some badness. nlmsg
On Sun, Dec 21, 2008 at 3:44 PM, Vegard Nossum <vegard.nossum@gmail.com> wrote: > On Sun, Dec 21, 2008 at 2:42 PM, Vegard Nossum <vegard.nossum@gmail.com> wrote: >> From bb805d89e84ddb11c9bb58afcfd9a6b37bbe5a9b Mon Sep 17 00:00:00 2001 >> From: Vegard Nossum <vegard.nossum@gmail.com> >> Date: Sun, 21 Dec 2008 14:20:49 +0100 >> Subject: [PATCH] netlink: fix (theoretical) overrun in message iteration >> >> See commit 1045b03e07d85f3545118510a587035536030c1c for a detailed >> explanation of why this patch is necessary. >> >> In short, nlmsg_next() can make "remaining" go negative, and the >> remaining >= sizeof(...) comparison will promote "remaining" to an >> unsigned type, which means that the expression will evaluate to >> true for negative numbers, even though it was not intended. >> >> I put "theoretical" in the title because I have no evidence that >> this can actually happen, but I suspect that a crafted netlink >> packet can trigger some badness. > > nlmsg Oops. I meant to say that nlmsg_for_each_msg() has no users at all, which means that the change is all the more "theoretical" :-) Vegard
From: Vegard Nossum <vegard.nossum@gmail.com> Date: Sun, 21 Dec 2008 14:42:18 +0100 > netlink: fix (theoretical) overrun in message iteration I'll apply this but we should also consider getting rid of unused interfaces such as nlmsg_for_each_msg(). -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/include/net/netlink.h b/include/net/netlink.h index 3643bbb..13dd525 100644 --- a/include/net/netlink.h +++ b/include/net/netlink.h @@ -332,7 +332,7 @@ static inline int nlmsg_attrlen(const struct nlmsghdr *nlh, int hdrlen) */ static inline int nlmsg_ok(const struct nlmsghdr *nlh, int remaining) { - return (remaining >= sizeof(struct nlmsghdr) && + return (remaining >= (int) sizeof(struct nlmsghdr) && nlh->nlmsg_len >= sizeof(struct nlmsghdr) && nlh->nlmsg_len <= remaining); }