Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
tjh.dev
kernel
os
linux
[NETLINK]: Fix processing of fib_lookup netlink messages
The receive path for fib_lookup netlink messages is lacking sanity
checks for header and payload and is thus vulnerable to malformed
netlink messages causing illegal memory references.
Signed-off-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
authored by Thomas Graf and committed by David S. Miller ea86575e 2a43c4af
+6
-2
net/ipv4/fib_frontend.c
+6
-2
net/ipv4/fib_frontend.c
···
544
struct sk_buff *skb = NULL;
545
struct nlmsghdr *nlh = NULL;
546
struct fib_result_nl *frn;
547
-
int err;
548
u32 pid;
549
struct fib_table *tb;
550
551
-
skb = skb_recv_datagram(sk, 0, 0, &err);
552
nlh = (struct nlmsghdr *)skb->data;
553
554
frn = (struct fib_result_nl *) NLMSG_DATA(nlh);
555
tb = fib_get_table(frn->tb_id_in);
···
544
struct sk_buff *skb = NULL;
545
struct nlmsghdr *nlh = NULL;
546
struct fib_result_nl *frn;
547
u32 pid;
548
struct fib_table *tb;
549
550
+
skb = skb_dequeue(&sk->sk_receive_queue);
551
nlh = (struct nlmsghdr *)skb->data;
552
+
if (skb->len < NLMSG_SPACE(0) || skb->len < nlh->nlmsg_len ||
553
+
nlh->nlmsg_len < NLMSG_LENGTH(sizeof(*frn))) {
554
+
kfree_skb(skb);
555
+
return;
556
+
}
557
558
frn = (struct fib_result_nl *) NLMSG_DATA(nlh);
559
tb = fib_get_table(frn->tb_id_in);