• Vegard Nossum's avatar
    netlink: fix (theoretical) overrun in message iteration · 619e803d
    Vegard Nossum authored
    See commit 1045b03e ("netlink: fix
    overrun in attribute iteration") for a detailed explanation of why
    this patch is necessary.
    
    In short, nlmsg_next() can make "remaining" go negative, and the
    remaining >= sizeof(...) comparison will promote "remaining" to an
    unsigned type, which means that the expression will evaluate to
    true for negative numbers, even though it was not intended.
    
    I put "theoretical" in the title because I have no evidence that
    this can actually happen, but I suspect that a crafted netlink
    packet can trigger some badness.
    
    Note that the last test, which seemingly has the exact same
    problem (also true for nla_ok()), is perfectly OK, since we
    already know that remaining is positive.
    Signed-off-by: default avatarVegard Nossum <vegard.nossum@gmail.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    619e803d
netlink.h 30.3 KB