macvlan: add forgotten nla_policy for IFLA_MACVLAN_BC_CUTOFF

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

The previous commit 954d1fa1ac93 ("macvlan: Add netlink attribute for
broadcast cutoff") added one additional attribute named
IFLA_MACVLAN_BC_CUTOFF to allow broadcast cutfoff.

However, it forgot to describe the nla_policy at macvlan_policy
(drivers/net/macvlan.c). Hence, this suppose NLA_S32 (4 bytes) integer
can be faked as empty (0 bytes) by a malicious user, which could leads
to OOB in heap just like CVE-2023-3773.

To fix it, this commit just completes the nla_policy description for
IFLA_MACVLAN_BC_CUTOFF. This enforces the length check and avoids the
potential OOB read.

Fixes: 954d1fa1ac93 ("macvlan: Add netlink attribute for broadcast cutoff")
Signed-off-by: Lin Ma <linma@zju.edu.cn>
Reviewed-by: Simon Horman <simon.horman@corigine.com>
Link: https://lore.kernel.org/r/20230723080205.3715164-1-linma@zju.edu.cn
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

authored by

Lin Ma and committed by

Jakub Kicinski 2 years ago 55cef78c 284779db

1 changed file

expand all

drivers

net

macvlan.c

drivers/net/macvlan.c

··· 1746 1746 [IFLA_MACVLAN_MACADDR_COUNT] = { .type = NLA_U32 }, 1747 1747 [IFLA_MACVLAN_BC_QUEUE_LEN] = { .type = NLA_U32 }, 1748 1748 [IFLA_MACVLAN_BC_QUEUE_LEN_USED] = { .type = NLA_REJECT }, 1749 + [IFLA_MACVLAN_BC_CUTOFF] = { .type = NLA_S32 }, 1749 1750 }; 1750 1751 1751 1752 int macvlan_link_register(struct rtnl_link_ops *ops)