From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Message-Id: <20140512003202.045601156@1wt.eu> Date: Mon, 12 May 2014 02:32:34 +0200 From: Willy Tarreau To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Mathias Krause , "David S. Miller" , Willy Tarreau Subject: [ 034/143] connector: use nlmsg_len() to check message length In-Reply-To: Sender: linux-kernel-owner@vger.kernel.org List-ID: 2.6.32-longterm review patch. If anyone has any objections, please let me know. ------------------ From: Mathias Krause [ Upstream commit 162b2bedc084d2d908a04c93383ba02348b648b0 ] The current code tests the length of the whole netlink message to be at least as long to fit a cn_msg. This is wrong as nlmsg_len includes the length of the netlink message header. Use nlmsg_len() instead to fix this "off-by-NLMSG_HDRLEN" size check. Cc: stable@vger.kernel.org Signed-off-by: Mathias Krause Signed-off-by: David S. Miller Signed-off-by: Willy Tarreau --- drivers/connector/connector.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/connector/connector.c b/drivers/connector/connector.c index 537c29a..980412b 100644 --- a/drivers/connector/connector.c +++ b/drivers/connector/connector.c @@ -177,17 +177,18 @@ static int cn_call_callback(struct sk_buff *skb) static void cn_rx_skb(struct sk_buff *__skb) { struct nlmsghdr *nlh; - int err; struct sk_buff *skb; + int len, err; skb = skb_get(__skb); if (skb->len >= NLMSG_SPACE(0)) { nlh = nlmsg_hdr(skb); + len = nlmsg_len(nlh); - if (nlh->nlmsg_len < sizeof(struct cn_msg) || + if (len < (int)sizeof(struct cn_msg) || skb->len < nlh->nlmsg_len || - nlh->nlmsg_len > CONNECTOR_MAX_MSG_SIZE) { + len > CONNECTOR_MAX_MSG_SIZE) { kfree_skb(skb); return; } -- 1.7.12.2.21.g234cd45.dirty