From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Mathias Krause <minipli@googlemail.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [ 16/32] connector: use nlmsg_len() to check message length
Date: Fri, 1 Nov 2013 14:43:27 -0700 [thread overview]
Message-ID: <20131101214317.517914955@linuxfoundation.org> (raw)
In-Reply-To: <20131101214313.735463599@linuxfoundation.org>
3.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mathias Krause <minipli@googlemail.com>
[ Upstream commit 162b2bedc084d2d908a04c93383ba02348b648b0 ]
The current code tests the length of the whole netlink message to be
at least as long to fit a cn_msg. This is wrong as nlmsg_len includes
the length of the netlink message header. Use nlmsg_len() instead to
fix this "off-by-NLMSG_HDRLEN" size check.
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/connector/connector.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
--- a/drivers/connector/connector.c
+++ b/drivers/connector/connector.c
@@ -157,17 +157,18 @@ static int cn_call_callback(struct sk_bu
static void cn_rx_skb(struct sk_buff *__skb)
{
struct nlmsghdr *nlh;
- int err;
struct sk_buff *skb;
+ int len, err;
skb = skb_get(__skb);
if (skb->len >= NLMSG_SPACE(0)) {
nlh = nlmsg_hdr(skb);
+ len = nlmsg_len(nlh);
- if (nlh->nlmsg_len < sizeof(struct cn_msg) ||
+ if (len < (int)sizeof(struct cn_msg) ||
skb->len < nlh->nlmsg_len ||
- nlh->nlmsg_len > CONNECTOR_MAX_MSG_SIZE) {
+ len > CONNECTOR_MAX_MSG_SIZE) {
kfree_skb(skb);
return;
}
next prev parent reply other threads:[~2013-11-01 21:44 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-11-01 21:43 [ 00/32] 3.4.68-stable review Greg Kroah-Hartman
2013-11-01 21:43 ` [ 01/32] tcp: must unclone packets before mangling them Greg Kroah-Hartman
2013-11-01 21:43 ` [ 02/32] tcp: do not forget FIN in tcp_shifted_skb() Greg Kroah-Hartman
2013-11-01 21:43 ` [ 03/32] net: do not call sock_put() on TIMEWAIT sockets Greg Kroah-Hartman
2013-11-01 21:43 ` [ 04/32] net: mv643xx_eth: update statistics timer from timer context only Greg Kroah-Hartman
2013-11-01 21:43 ` [ 05/32] net: mv643xx_eth: fix orphaned statistics timer crash Greg Kroah-Hartman
2013-11-01 21:43 ` [ 06/32] net: heap overflow in __audit_sockaddr() Greg Kroah-Hartman
2013-11-01 21:43 ` [ 07/32] proc connector: fix info leaks Greg Kroah-Hartman
2013-11-01 21:43 ` [ 08/32] ipv4: fix ineffective source address selection Greg Kroah-Hartman
2013-11-01 21:43 ` [ 09/32] can: dev: fix nlmsg size calculation in can_get_size() Greg Kroah-Hartman
2013-11-01 21:43 ` [ 10/32] ipv6: restrict neighbor entry creation to output flow Greg Kroah-Hartman
2013-11-01 21:43 ` [ 11/32] bridge: Correctly clamp MAX forward_delay when enabling STP Greg Kroah-Hartman
2013-11-01 21:43 ` [ 12/32] net: vlan: fix nlmsg size calculation in vlan_get_size() Greg Kroah-Hartman
2013-11-01 21:43 ` [ 13/32] l2tp: must disable bh before calling l2tp_xmit_skb() Greg Kroah-Hartman
2013-11-01 21:43 ` [ 14/32] farsync: fix info leak in ioctl Greg Kroah-Hartman
2013-11-01 21:43 ` [ 15/32] unix_diag: fix info leak Greg Kroah-Hartman
2013-11-01 21:43 ` Greg Kroah-Hartman [this message]
2013-11-01 21:43 ` [ 17/32] bnx2x: record rx queue for LRO packets Greg Kroah-Hartman
2013-11-01 21:43 ` [ 18/32] net: dst: provide accessor function to dst->xfrm Greg Kroah-Hartman
2013-11-01 21:43 ` [ 19/32] sctp: Use software crc32 checksum when xfrm transform will happen Greg Kroah-Hartman
2013-11-01 21:43 ` [ 20/32] sctp: Perform software checksum if packet has to be fragmented Greg Kroah-Hartman
2013-11-01 21:43 ` [ 21/32] wanxl: fix info leak in ioctl Greg Kroah-Hartman
2013-11-01 21:43 ` [ 22/32] net: unix: inherit SOCK_PASS{CRED, SEC} flags from socket to fix race Greg Kroah-Hartman
2013-11-01 21:43 ` [ 23/32] net: fix cipso packet validation when !NETLABEL Greg Kroah-Hartman
2013-11-01 21:43 ` [ 24/32] inet: fix possible memory corruption with UDP_CORK and UFO Greg Kroah-Hartman
2013-11-01 21:43 ` [ 25/32] davinci_emac.c: Fix IFF_ALLMULTI setup Greg Kroah-Hartman
2013-11-01 21:43 ` [ 26/32] ext3: return 32/64-bit dir name hash according to usage type Greg Kroah-Hartman
2013-11-01 21:43 ` [ 27/32] dm snapshot: fix data corruption Greg Kroah-Hartman
2013-11-01 21:43 ` [ 28/32] writeback: fix negative bdi max pause Greg Kroah-Hartman
2013-11-01 21:43 ` [ 29/32] wireless: radiotap: fix parsing buffer overrun Greg Kroah-Hartman
2013-11-01 21:43 ` [ 30/32] USB: serial: ti_usb_3410_5052: add Abbott strip port ID to combined table as well Greg Kroah-Hartman
2013-11-01 21:43 ` [ 31/32] USB: serial: option: add support for Inovia SEW858 device Greg Kroah-Hartman
2013-11-01 21:43 ` [ 32/32] usb: serial: option: blacklist Olivetti Olicard200 Greg Kroah-Hartman
2013-11-02 2:28 ` [ 00/32] 3.4.68-stable review Guenter Roeck
2013-11-02 21:33 ` Shuah Khan
2013-11-04 3:07 ` Satoru Takeuchi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20131101214317.517914955@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=minipli@googlemail.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox