]> git.karo-electronics.de Git - karo-tx-linux.git/commitdiff
projects / karo-tx-linux.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 6ca4c55)
[PATCH] NETLINK: Fix processing of fib_lookup netlink messages
authorThomas Graf <tgraf@suug.ch>
Thu, 1 Dec 2005 22:05:12 +0000 (23:05 +0100)
committerGreg Kroah-Hartman <gregkh@suse.de>
Wed, 14 Dec 2005 23:42:55 +0000 (15:42 -0800)
The receive path for fib_lookup netlink messages is lacking sanity
checks for header and payload and is thus vulnerable to malformed
netlink messages causing illegal memory references.

Signed-off-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
net/ipv4/fib_frontend.c patch | blob | history

diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
index e61bc7177eb1b868225bf34734f85702fc311969..bc6f0a3698820a68800c372da450babfe6c64038 100644 (file)
--- a/net/ipv4/fib_frontend.c
+++ b/net/ipv4/fib_frontend.c
@@ -545,12 +545,16 @@ static void nl_fib_input(struct sock *sk, int len)
        struct sk_buff *skb = NULL;
         struct nlmsghdr *nlh = NULL;
        struct fib_result_nl *frn;
-       int err;
        u32 pid;     
        struct fib_table *tb;
        
-       skb = skb_recv_datagram(sk, 0, 0, &err);
+       skb = skb_dequeue(&sk->sk_receive_queue);
        nlh = (struct nlmsghdr *)skb->data;
+       if (skb->len < NLMSG_SPACE(0) || skb->len < nlh->nlmsg_len ||
+           nlh->nlmsg_len < NLMSG_LENGTH(sizeof(*frn))) {
+               kfree_skb(skb);
+               return;
+       }
        
        frn = (struct fib_result_nl *) NLMSG_DATA(nlh);
        tb = fib_get_table(frn->tb_id_in);
Linux kernel for KaRo TX COM modules