• Johannes Berg's avatar
    netlink: validate NLA_MSECS length · c30bc947
    Johannes Berg authored
    L2TP for example uses NLA_MSECS like this:
    policy:
            [L2TP_ATTR_RECV_TIMEOUT]        = { .type = NLA_MSECS, },
    code:
            if (info->attrs[L2TP_ATTR_RECV_TIMEOUT])
                    cfg.reorder_timeout = nla_get_msecs(info->attrs[L2TP_ATTR_RECV_TIMEOUT]);
    
    As nla_get_msecs() is essentially nla_get_u64() plus the
    conversion to a HZ-based value, this will not properly
    reject attributes from userspace that aren't long enough
    and might overrun the message.
    
    Add NLA_MSECS to the attribute minlen array to check the
    size properly.
    
    Cc: Thomas Graf <tgraf@suug.ch>
    Cc: stable@vger.kernel.org
    Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    c30bc947
nlattr.c 12.3 KB