* old NLMSG_OK fix
@ 2004-05-31 16:04 Christoph Hellwig
2004-06-27 17:15 ` Christoph Hellwig
0 siblings, 1 reply; 5+ messages in thread
From: Christoph Hellwig @ 2004-05-31 16:04 UTC (permalink / raw)
To: netdev
I just stumbled over NLMSG_OK and RTA_OK changes in the debian kernel
package. It seems they are from
http://oss.sgi.com/projects/netdev/archive/2000-09/msg00001.html
Any comments?
diff -urN kernel-source-2.6.6/include/linux/netlink.h kernel-source-2.6.6-1/include/linux/netlink.h
--- kernel-source-2.6.6/include/linux/netlink.h 2004-05-10 19:48:07.000000000 +1000
+++ kernel-source-2.6.6-1/include/linux/netlink.h 2004-05-10 22:21:52.000000000 +1000
@@ -73,7 +73,8 @@
#define NLMSG_DATA(nlh) ((void*)(((char*)nlh) + NLMSG_LENGTH(0)))
#define NLMSG_NEXT(nlh,len) ((len) -= NLMSG_ALIGN((nlh)->nlmsg_len), \
(struct nlmsghdr*)(((char*)(nlh)) + NLMSG_ALIGN((nlh)->nlmsg_len)))
-#define NLMSG_OK(nlh,len) ((len) > 0 && (nlh)->nlmsg_len >= sizeof(struct nlmsghdr) && \
+#define NLMSG_OK(nlh,len) ((len) >= (int)sizeof(struct nlmsghdr) && \
+ (nlh)->nlmsg_len >= sizeof(struct nlmsghdr) && \
(nlh)->nlmsg_len <= (len))
#define NLMSG_PAYLOAD(nlh,len) ((nlh)->nlmsg_len - NLMSG_SPACE((len)))
@@ -93,6 +94,7 @@
#ifdef __KERNEL__
#include <linux/capability.h>
+#include <linux/skbuff.h>
struct netlink_skb_parms
{
diff -urN kernel-source-2.6.6/include/linux/rtnetlink.h kernel-source-2.6.6-1/include/linux/rtnetlink.h
--- kernel-source-2.6.6/include/linux/rtnetlink.h 2004-05-10 19:48:08.000000000 +1000
+++ kernel-source-2.6.6-1/include/linux/rtnetlink.h 2004-05-10 22:21:52.000000000 +1000
@@ -69,7 +69,8 @@
#define RTA_ALIGNTO 4
#define RTA_ALIGN(len) ( ((len)+RTA_ALIGNTO-1) & ~(RTA_ALIGNTO-1) )
-#define RTA_OK(rta,len) ((len) > 0 && (rta)->rta_len >= sizeof(struct rtattr) && \
+#define RTA_OK(rta,len) ((len) >= (int)sizeof(struct rtattr) && \
+ (rta)->rta_len >= sizeof(struct rtattr) && \
(rta)->rta_len <= (len))
#define RTA_NEXT(rta,attrlen) ((attrlen) -= RTA_ALIGN((rta)->rta_len), \
(struct rtattr*)(((char*)(rta)) + RTA_ALIGN((rta)->rta_len)))
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: old NLMSG_OK fix
2004-05-31 16:04 old NLMSG_OK fix Christoph Hellwig
@ 2004-06-27 17:15 ` Christoph Hellwig
2004-06-28 3:51 ` David S. Miller
0 siblings, 1 reply; 5+ messages in thread
From: Christoph Hellwig @ 2004-06-27 17:15 UTC (permalink / raw)
To: davem, netdev
On Mon, May 31, 2004 at 06:04:27PM +0200, Christoph Hellwig wrote:
> I just stumbled over NLMSG_OK and RTA_OK changes in the debian kernel
> package. It seems they are from
> http://oss.sgi.com/projects/netdev/archive/2000-09/msg00001.html
>
> Any comments?
ping
--- kernel-source-2.6.6/include/linux/netlink.h 2004-05-10 19:48:07.000000000 +1000
+++ kernel-source-2.6.6-1/include/linux/netlink.h 2004-05-10 22:21:52.000000000 +1000
@@ -73,7 +73,8 @@
#define NLMSG_DATA(nlh) ((void*)(((char*)nlh) + NLMSG_LENGTH(0)))
#define NLMSG_NEXT(nlh,len) ((len) -= NLMSG_ALIGN((nlh)->nlmsg_len), \
(struct nlmsghdr*)(((char*)(nlh)) + NLMSG_ALIGN((nlh)->nlmsg_len)))
-#define NLMSG_OK(nlh,len) ((len) > 0 && (nlh)->nlmsg_len >= sizeof(struct nlmsghdr) && \
+#define NLMSG_OK(nlh,len) ((len) >= (int)sizeof(struct nlmsghdr) && \
+ (nlh)->nlmsg_len >= sizeof(struct nlmsghdr) && \
(nlh)->nlmsg_len <= (len))
#define NLMSG_PAYLOAD(nlh,len) ((nlh)->nlmsg_len - NLMSG_SPACE((len)))
--- kernel-source-2.6.6/include/linux/rtnetlink.h 2004-05-10 19:48:08.000000000 +1000
+++ kernel-source-2.6.6-1/include/linux/rtnetlink.h 2004-05-10 22:21:52.000000000 +1000
@@ -69,7 +69,8 @@
#define RTA_ALIGNTO 4
#define RTA_ALIGN(len) ( ((len)+RTA_ALIGNTO-1) & ~(RTA_ALIGNTO-1) )
-#define RTA_OK(rta,len) ((len) > 0 && (rta)->rta_len >= sizeof(struct rtattr) && \
+#define RTA_OK(rta,len) ((len) >= (int)sizeof(struct rtattr) && \
+ (rta)->rta_len >= sizeof(struct rtattr) && \
(rta)->rta_len <= (len))
#define RTA_NEXT(rta,attrlen) ((attrlen) -= RTA_ALIGN((rta)->rta_len), \
(struct rtattr*)(((char*)(rta)) + RTA_ALIGN((rta)->rta_len)))
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: old NLMSG_OK fix
2004-06-27 17:15 ` Christoph Hellwig
@ 2004-06-28 3:51 ` David S. Miller
2004-06-28 9:43 ` Herbert Xu
0 siblings, 1 reply; 5+ messages in thread
From: David S. Miller @ 2004-06-28 3:51 UTC (permalink / raw)
To: Christoph Hellwig; +Cc: netdev
On Sun, 27 Jun 2004 19:15:52 +0200
Christoph Hellwig <hch@lst.de> wrote:
> http://oss.sgi.com/projects/netdev/archive/2000-09/msg00001.html
It works because there is always 16 bytes of scratch at the end of an
SKB more than was allocated for the actual data. So blindly deref'ing
the nlmsg_len value is fine here.
There is no danger for OOPS's or kernel corruption.
I believe I responded exactly like this the last time this
patch was presented.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: old NLMSG_OK fix
2004-06-28 3:51 ` David S. Miller
@ 2004-06-28 9:43 ` Herbert Xu
2004-06-28 18:22 ` David S. Miller
0 siblings, 1 reply; 5+ messages in thread
From: Herbert Xu @ 2004-06-28 9:43 UTC (permalink / raw)
To: David S. Miller; +Cc: hch, netdev
David S. Miller <davem@redhat.com> wrote:
> On Sun, 27 Jun 2004 19:15:52 +0200
> Christoph Hellwig <hch@lst.de> wrote:
>
>> http://oss.sgi.com/projects/netdev/archive/2000-09/msg00001.html
>
> It works because there is always 16 bytes of scratch at the end of an
> SKB more than was allocated for the actual data. So blindly deref'ing
> the nlmsg_len value is fine here.
Yes but this is also used by user-space appliations where this scratch
space may not exist. NETLINK messages can travel from one application
to another so exploits are possible.
Cheers,
--
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: old NLMSG_OK fix
2004-06-28 9:43 ` Herbert Xu
@ 2004-06-28 18:22 ` David S. Miller
0 siblings, 0 replies; 5+ messages in thread
From: David S. Miller @ 2004-06-28 18:22 UTC (permalink / raw)
To: Herbert Xu; +Cc: hch, netdev
On Mon, 28 Jun 2004 19:43:37 +1000
Herbert Xu <herbert@gondor.apana.org.au> wrote:
> David S. Miller <davem@redhat.com> wrote:
> > On Sun, 27 Jun 2004 19:15:52 +0200
> > Christoph Hellwig <hch@lst.de> wrote:
> >
> >> http://oss.sgi.com/projects/netdev/archive/2000-09/msg00001.html
> >
> > It works because there is always 16 bytes of scratch at the end of an
> > SKB more than was allocated for the actual data. So blindly deref'ing
> > the nlmsg_len value is fine here.
>
> Yes but this is also used by user-space appliations where this scratch
> space may not exist. NETLINK messages can travel from one application
> to another so exploits are possible.
You're right, thanks for pointing this out. I'll add it to my tree.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2004-06-28 18:22 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-05-31 16:04 old NLMSG_OK fix Christoph Hellwig
2004-06-27 17:15 ` Christoph Hellwig
2004-06-28 3:51 ` David S. Miller
2004-06-28 9:43 ` Herbert Xu
2004-06-28 18:22 ` David S. Miller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).