From: Mathias Krause <minipli@googlemail.com>
To: linux-audit@redhat.com
Cc: Al Viro <viro@zeniv.linux.org.uk>
Subject: [PATCH 2/2] audit: use nlmsg_len() to get message payload length
Date: Mon, 30 Sep 2013 22:04:25 +0200 [thread overview]
Message-ID: <1380571465-15440-3-git-send-email-minipli@googlemail.com> (raw)
In-Reply-To: <1380571465-15440-1-git-send-email-minipli@googlemail.com>
Using the nlmsg_len member of the netlink header to test if the message
is valid is wrong as it includes the size of the netlink header itself.
Thereby allowing to send short netlink messages that pass those checks.
Use nlmsg_len() instead to test for the right message length. The result
of nlmsg_len() is guaranteed to be non-negative as the netlink message
already passed the checks of nlmsg_ok().
Also switch to min_t() to please checkpatch.pl.
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Eric Paris <eparis@redhat.com>
Cc: stable@vger.kernel.org # v2.6.6+ for the 1st hunk, v2.6.23+ for the 2nd
Signed-off-by: Mathias Krause <minipli@googlemail.com>
---
kernel/audit.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index e237712..10c7263 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -671,7 +671,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
&status_set, sizeof(status_set));
break;
case AUDIT_SET:
- if (nlh->nlmsg_len < sizeof(struct audit_status))
+ if (nlmsg_len(nlh) < sizeof(struct audit_status))
return -EINVAL;
status_get = (struct audit_status *)data;
if (status_get->mask & AUDIT_STATUS_ENABLED) {
@@ -833,7 +833,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
memset(&s, 0, sizeof(s));
/* guard against past and future API changes */
- memcpy(&s, data, min(sizeof(s), (size_t)nlh->nlmsg_len));
+ memcpy(&s, data, min_t(size_t, sizeof(s), nlmsg_len(nlh)));
if ((s.enabled != 0 && s.enabled != 1) ||
(s.log_passwd != 0 && s.log_passwd != 1))
return -EINVAL;
--
1.7.10.4
next prev parent reply other threads:[~2013-09-30 20:04 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-09-30 20:04 [PATCH 0/2] netlink related fixes Mathias Krause
2013-09-30 20:04 ` [PATCH 1/2] audit: fix info leak in AUDIT_GET requests Mathias Krause
2013-10-01 2:20 ` Richard Guy Briggs
2013-09-30 20:04 ` Mathias Krause [this message]
2013-10-01 3:51 ` [PATCH 2/2] audit: use nlmsg_len() to get message payload length Richard Guy Briggs
2013-10-01 6:33 ` Mathias Krause
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1380571465-15440-3-git-send-email-minipli@googlemail.com \
--to=minipli@googlemail.com \
--cc=linux-audit@redhat.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox