[PATCH] Fix DoS in netlink_rcv_skb() (CVE-2006-0035)

Sanity check nlmsg_len during netlink_rcv_skb. An nlmsg_len == 0 can cause infinite loop in kernel, effectively DoSing machine. Noted by Martin Murray. Signed-off-by: Chris Wright <chrisw@sous-sol.org> Signed-off-by: David S. Miller <davem@davemloft.net>

[PATCH] Fix DoS in netlink_rcv_skb() (CVE-2006-0035)
Sanity check nlmsg_len during netlink_rcv_skb. An nlmsg_len == 0 can cause infinite loop in kernel, effectively DoSing machine. Noted by Martin Murray. Signed-off-by: Chris Wright <chrisw@sous-sol.org> Signed-off-by: David S. Miller <davem@davemloft.net>
7abeff5a · Martin Murray · Chris Wright · 15ee2e06 · 7abeff5a
Commit 7abeff5a authored Jan 10, 2006 by Martin Murray Committed by Chris Wright Jan 14, 2006
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 1 deletion

net/netlink/af_netlink.c net/netlink/af_netlink.c +1 -1

No files found.
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -1422,7 +1422,7 @@ static int netlink_rcv_skb(struct sk_buff *skb, int (*cb)(struct sk_buff *,
 	while (skb->len >= nlmsg_total_size(0)) {
 		nlh = (struct nlmsghdr *) skb->data;

-		if (skb->len < nlh->nlmsg_len)
+		if (nlh->nlmsg_len < NLMSG_HDRLEN || skb->len < nlh->nlmsg_len)
 			return 0;

 		total_len = min(NLMSG_ALIGN(nlh->nlmsg_len), skb->len);