Commit a4b64fbe authored by Eric Dumazet's avatar Eric Dumazet Committed by David S. Miller

rtnetlink: fix rtnl_calcit() and rtnl_dump_ifinfo()

nlmsg_parse() might return an error, so test its return value before
potential random memory accesses.

Errors introduced in commit 115c9b81 (rtnetlink: Fix problem with
buffer allocation)
Signed-off-by: default avatarEric Dumazet <eric.dumazet@gmail.com>
Cc: Greg Rose <gregory.v.rose@intel.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 709e1b5c
...@@ -1060,11 +1060,12 @@ static int rtnl_dump_ifinfo(struct sk_buff *skb, struct netlink_callback *cb) ...@@ -1060,11 +1060,12 @@ static int rtnl_dump_ifinfo(struct sk_buff *skb, struct netlink_callback *cb)
rcu_read_lock(); rcu_read_lock();
cb->seq = net->dev_base_seq; cb->seq = net->dev_base_seq;
nlmsg_parse(cb->nlh, sizeof(struct rtgenmsg), tb, IFLA_MAX, if (nlmsg_parse(cb->nlh, sizeof(struct rtgenmsg), tb, IFLA_MAX,
ifla_policy); ifla_policy) >= 0) {
if (tb[IFLA_EXT_MASK]) if (tb[IFLA_EXT_MASK])
ext_filter_mask = nla_get_u32(tb[IFLA_EXT_MASK]); ext_filter_mask = nla_get_u32(tb[IFLA_EXT_MASK]);
}
for (h = s_h; h < NETDEV_HASHENTRIES; h++, s_idx = 0) { for (h = s_h; h < NETDEV_HASHENTRIES; h++, s_idx = 0) {
idx = 0; idx = 0;
...@@ -1900,10 +1901,11 @@ static u16 rtnl_calcit(struct sk_buff *skb, struct nlmsghdr *nlh) ...@@ -1900,10 +1901,11 @@ static u16 rtnl_calcit(struct sk_buff *skb, struct nlmsghdr *nlh)
u32 ext_filter_mask = 0; u32 ext_filter_mask = 0;
u16 min_ifinfo_dump_size = 0; u16 min_ifinfo_dump_size = 0;
nlmsg_parse(nlh, sizeof(struct rtgenmsg), tb, IFLA_MAX, ifla_policy); if (nlmsg_parse(nlh, sizeof(struct rtgenmsg), tb, IFLA_MAX,
ifla_policy) >= 0) {
if (tb[IFLA_EXT_MASK]) if (tb[IFLA_EXT_MASK])
ext_filter_mask = nla_get_u32(tb[IFLA_EXT_MASK]); ext_filter_mask = nla_get_u32(tb[IFLA_EXT_MASK]);
}
if (!ext_filter_mask) if (!ext_filter_mask)
return NLMSG_GOODSIZE; return NLMSG_GOODSIZE;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment