netlink: fix (theoretical) overrun in message iteration

See commit 1045b03e ("netlink: fix overrun in attribute iteration") for a detailed explanation of why this patch is necessary. In short, nlmsg_next() can make "remaining" go negative, and the remaining >= sizeof(...) comparison will promote "remaining" to an unsigned type, which means that the expression will evaluate to true for negative numbers, even though it was not intended. I put "theoretical" in the title because I have no evidence that this can actually happen, but I suspect that a crafted netlink packet can trigger some badness. Note that the last test, which seemingly has the exact same problem (also true for nla_ok()), is perfectly OK, since we already know that remaining is positive. Signed-off-by: Vegard Nossum <vegard.nossum@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>

netlink: fix (theoretical) overrun in message iteration
See commit 1045b03e ("netlink: fix overrun in attribute iteration") for a detailed explanation of why this patch is necessary. In short, nlmsg_next() can make "remaining" go negative, and the remaining >= sizeof(...) comparison will promote "remaining" to an unsigned type, which means that the expression will evaluate to true for negative numbers, even though it was not intended. I put "theoretical" in the title because I have no evidence that this can actually happen, but I suspect that a crafted netlink packet can trigger some badness. Note that the last test, which seemingly has the exact same problem (also true for nla_ok()), is perfectly OK, since we already know that remaining is positive. Signed-off-by: Vegard Nossum <vegard.nossum@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
619e803d · Vegard Nossum · David S. Miller · 64ff3b93 · 619e803d
Commit 619e803d authored Dec 25, 2008 by Vegard Nossum Committed by David S. Miller Dec 25, 2008
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 1 deletion

include/net/netlink.h include/net/netlink.h +1 -1

No files found.
--- a/include/net/netlink.h
+++ b/include/net/netlink.h
@@ -332,7 +332,7 @@ static inline int nlmsg_attrlen(const struct nlmsghdr *nlh, int hdrlen)
 */
 static inline int nlmsg_ok(const struct nlmsghdr *nlh, int remaining)
 {
-	return (remaining >= sizeof(struct nlmsghdr) &&
+	return (remaining >= (int) sizeof(struct nlmsghdr) &&
 		nlh->nlmsg_len >= sizeof(struct nlmsghdr) &&
 		nlh->nlmsg_len <= remaining);
 }