From: Thomas Graf <tgraf@suug.ch>
To: davem@davemloft.net
Cc: netdev@vger.kernel.org
Subject: [PATCH 4/9] [IPV4]: Convert address deletion to new netlink api
Date: Sat, 05 Aug 2006 00:00:04 +0200 [thread overview]
Message-ID: <20060805003536.455996896@postel.suug.ch> (raw)
In-Reply-To: 20060805003452.493542515@postel.suug.ch
[-- Attachment #1: nl_ipv4_deladdr --]
[-- Type: text/plain, Size: 2033 bytes --]
Fixes various unvalidated netlink attributes causing
memory corruptions when left empty by userspace.
Signed-off-by: Thomas Graf <tgraf@suug.ch>
Index: net-2.6.19/net/ipv4/devinet.c
===================================================================
--- net-2.6.19.orig/net/ipv4/devinet.c
+++ net-2.6.19/net/ipv4/devinet.c
@@ -430,34 +430,48 @@ struct in_ifaddr *inet_ifa_byprefix(stru
static int inet_rtm_deladdr(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg)
{
- struct rtattr **rta = arg;
+ struct nlattr *tb[IFA_MAX+1];
struct in_device *in_dev;
- struct ifaddrmsg *ifm = NLMSG_DATA(nlh);
+ struct ifaddrmsg *ifm;
struct in_ifaddr *ifa, **ifap;
+ int err = -EINVAL;
ASSERT_RTNL();
- if ((in_dev = inetdev_by_index(ifm->ifa_index)) == NULL)
- goto out;
+ err = nlmsg_parse(nlh, sizeof(*ifm), tb, IFA_MAX, ifa_ipv4_policy);
+ if (err < 0)
+ goto errout;
+
+ ifm = nlmsg_data(nlh);
+ in_dev = inetdev_by_index(ifm->ifa_index);
+ if (in_dev == NULL) {
+ err = -ENODEV;
+ goto errout;
+ }
+
__in_dev_put(in_dev);
for (ifap = &in_dev->ifa_list; (ifa = *ifap) != NULL;
ifap = &ifa->ifa_next) {
- if ((rta[IFA_LOCAL - 1] &&
- memcmp(RTA_DATA(rta[IFA_LOCAL - 1]),
- &ifa->ifa_local, 4)) ||
- (rta[IFA_LABEL - 1] &&
- rtattr_strcmp(rta[IFA_LABEL - 1], ifa->ifa_label)) ||
- (rta[IFA_ADDRESS - 1] &&
- (ifm->ifa_prefixlen != ifa->ifa_prefixlen ||
- !inet_ifa_match(*(u32*)RTA_DATA(rta[IFA_ADDRESS - 1]),
- ifa))))
+ if (tb[IFA_LOCAL] &&
+ ifa->ifa_local != nla_get_u32(tb[IFA_LOCAL]))
continue;
+
+ if (tb[IFA_LABEL] && nla_strcmp(tb[IFA_LABEL], ifa->ifa_label))
+ continue;
+
+ if (tb[IFA_ADDRESS] &&
+ (ifm->ifa_prefixlen != ifa->ifa_prefixlen ||
+ !inet_ifa_match(nla_get_u32(tb[IFA_ADDRESS]), ifa)))
+ continue;
+
inet_del_ifa(in_dev, ifap, 1);
return 0;
}
-out:
- return -EADDRNOTAVAIL;
+
+ err = -EADDRNOTAVAIL;
+errout:
+ return err;
}
static struct in_ifaddr *rtm_to_ifaddr(struct nlmsghdr *nlh)
next prev parent reply other threads:[~2006-08-05 0:43 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-08-05 0:34 [PATCHSET] Begin of transformations to new netlink api Thomas Graf
2006-08-04 22:00 ` [PATCH 1/9] [NETLINK]: Extend netlink messaging interface Thomas Graf
2006-08-04 22:00 ` [PATCH 2/9] [NETLINK]: Convert core netlink handling to new netlink api Thomas Graf
2006-08-04 22:00 ` [PATCH 3/9] [IPV4]: Convert address addition " Thomas Graf
2006-08-04 22:00 ` Thomas Graf [this message]
2006-08-04 22:00 ` [PATCH 5/9] [IPV4]: Convert address dumping " Thomas Graf
2006-08-04 22:00 ` [PATCH 6/9] [IPv4]: Move interface address bits to linux/if_addr.h Thomas Graf
2006-08-04 22:00 ` [PATCH 7/9] [NET]: Convert link modification to new netlink api Thomas Graf
2006-08-04 22:00 ` [PATCH 8/9] [NET]: Convert link dumping " Thomas Graf
2006-08-04 22:00 ` [PATCH 9/9] [NET]: Move netlink interface bits to linux/if.h Thomas Graf
2006-08-06 5:42 ` Stephen Hemminger
2006-08-05 6:23 ` David Miller
2006-08-07 17:57 ` Stephen Hemminger
2006-08-05 6:21 ` [PATCHSET] Begin of transformations to new netlink api David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20060805003536.455996896@postel.suug.ch \
--to=tgraf@suug.ch \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).