public inbox for stable@vger.kernel.org
 help / color / mirror / Atom feed
From: Ben Hutchings <ben@decadent.org.uk>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: akpm@linux-foundation.org,
	"David S. Miller" <davem@davemloft.net>,
	"Mathias Krause" <minipli@googlemail.com>,
	stable@vger.kernel.org
Subject: [PATCH 3.2 12/87] connector: use nlmsg_len() to check message length
Date: Mon, 25 Nov 2013 13:44:29 +0000	[thread overview]
Message-ID: <lsq.1385387069.880218928@decadent.org.uk> (raw)
In-Reply-To: <lsq.1385387069.559528559@decadent.org.uk>

3.2.53-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Mathias Krause <minipli@googlemail.com>

[ Upstream commit 162b2bedc084d2d908a04c93383ba02348b648b0 ]

The current code tests the length of the whole netlink message to be
at least as long to fit a cn_msg. This is wrong as nlmsg_len includes
the length of the netlink message header. Use nlmsg_len() instead to
fix this "off-by-NLMSG_HDRLEN" size check.

Cc: stable@vger.kernel.org  # v2.6.14+
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 drivers/connector/connector.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/drivers/connector/connector.c b/drivers/connector/connector.c
index dde6a0f..ea6efe8 100644
--- a/drivers/connector/connector.c
+++ b/drivers/connector/connector.c
@@ -157,17 +157,18 @@ static int cn_call_callback(struct sk_buff *skb)
 static void cn_rx_skb(struct sk_buff *__skb)
 {
 	struct nlmsghdr *nlh;
-	int err;
 	struct sk_buff *skb;
+	int len, err;
 
 	skb = skb_get(__skb);
 
 	if (skb->len >= NLMSG_SPACE(0)) {
 		nlh = nlmsg_hdr(skb);
+		len = nlmsg_len(nlh);
 
-		if (nlh->nlmsg_len < sizeof(struct cn_msg) ||
+		if (len < (int)sizeof(struct cn_msg) ||
 		    skb->len < nlh->nlmsg_len ||
-		    nlh->nlmsg_len > CONNECTOR_MAX_MSG_SIZE) {
+		    len > CONNECTOR_MAX_MSG_SIZE) {
 			kfree_skb(skb);
 			return;
 		}


  parent reply	other threads:[~2013-11-25 13:44 UTC|newest]

Thread overview: 100+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-11-25 13:44 [PATCH 3.2 00/87] 3.2.53-rc1 review Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 72/87] ecryptfs: Fix memory leakage in keystore.c Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 44/87] iwlwifi: one more sku added to 6x35 series Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 63/87] ext4: fix memory leak in xattr Ben Hutchings
2013-11-25 19:02   ` Dave Jones
2013-11-26  3:52     ` Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 56/87] KVM: PPC: Book3S HV: Fix typo in saving DSCR Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 86/87] Staging: bcm: info leak in ioctl Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 08/87] ipv6: restrict neighbor entry creation to output flow Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 73/87] fs: buffer: move allocation failure loop into the allocator Ben Hutchings
2013-11-25 15:13   ` Johannes Weiner
2013-11-26  3:54     ` Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 23/87] ext4: return 32/64-bit dir name hash according to usage type Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 83/87] uml: check length in exitcode_proc_write() Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 15/87] sctp: Use software crc32 checksum when xfrm transform will happen Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 35/87] include/linux/fs.h: disable preempt when acquire i_size_seqcount write lock Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 62/87] USB: serial: option: add support for Inovia SEW858 device Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 79/87] ASoC: dapm: Fix source list debugfs outputs Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 26/87] ext3: return 32/64-bit dir name hash according to usage type Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 47/87] ALSA: snd-usb-usx2y: remove bogus frame checks Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 65/87] parisc: fix interruption handler to respect pagefault_disable() Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 37/87] random: run random_int_secret_init() run after all late_initcalls Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 09/87] net: vlan: fix nlmsg size calculation in vlan_get_size() Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 05/87] proc connector: fix info leaks Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 28/87] perf: Fix perf ring buffer memory ordering Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 57/87] rtlwifi: rtl8192cu: Fix error in pointer arithmetic Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 61/87] USB: support new huawei devices in option.c Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 21/87] PCI: fix truncation of resource size to 32 bits Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 31/87] inet: fix possible memory corruption with UDP_CORK and UFO Ben Hutchings
2013-11-25 13:44 ` Ben Hutchings [this message]
2013-11-25 13:44 ` [PATCH 3.2 78/87] parisc: Do not crash 64bit SMP kernels on machines with >= 4GB RAM Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 16/87] sctp: Perform software checksum if packet has to be fragmented Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 82/87] ASoC: wm_hubs: Add missing break in hp_supply_event() Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 33/87] netfilter: nf_ct_sip: don't drop packets with offsets pointing outside the packet Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 71/87] usb: serial: option: blacklist Olivetti Olicard200 Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 04/87] net: heap overflow in __audit_sockaddr() Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 38/87] mac80211: drop spoofed packets in ad-hoc mode Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 84/87] aacraid: missing capable() check in compat ioctl Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 22/87] fs: add new FMODE flags: FMODE_32bithash and FMODE_64bithash Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 49/87] ALSA: hda - Add fixup for ASUS N56VZ Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 54/87] xhci: quirk for extra long delay for S4 Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 13/87] bnx2x: record rx queue for LRO packets Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 17/87] wanxl: fix info leak in ioctl Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 58/87] random: allow architectures to optionally define random_get_entropy() Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 06/87] ipv4: fix ineffective source address selection Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 32/87] 8139cp: re-enable interrupts after tx timeout Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 87/87] lib/scatterlist.c: don't flush_kernel_dcache_page on slab page Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 18/87] net: unix: inherit SOCK_PASS{CRED, SEC} flags from socket to fix race Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 85/87] staging: wlags49_h2: buffer overflow setting station name Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 42/87] iwlwifi: remove un-supported SKUs Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 64/87] vfs: allow O_PATH file descriptors for fstatfs() Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 01/87] tcp: must unclone packets before mangling them Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 70/87] USB: quirks: add touchscreen that is dazzeled by remote wakeup Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 53/87] xhci: Don't enable/disable RWE on bus suspend/resume Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 43/87] iwlwifi: update pci subsystem id Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 50/87] mac80211: correctly close cancelled scans Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 77/87] target/pscsi: fix return value check Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 20/87] davinci_emac.c: Fix IFF_ALLMULTI setup Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 60/87] compiler/gcc4: Add quirk for 'asm goto' miscompilation bug Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 24/87] nfsd: rename 'int access' to 'int may_flags' in nfsd_open() Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 10/87] l2tp: must disable bh before calling l2tp_xmit_skb() Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 41/87] iwlwifi: two more SKUs for 6x05 series Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 81/87] ALSA: hda - Add a fixup for ASUS N76VZ Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 52/87] drm/radeon: fix hw contexts for SUMO2 asics Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 59/87] compiler-gcc.h: Add gcc-recommended GCC_VERSION macro Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 29/87] xen-netback: use jiffies_64 value to calculate credit timeout Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 36/87] jfs: fix error path in ialloc Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 02/87] tcp: do not forget FIN in tcp_shifted_skb() Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 40/87] tile: use a more conservative __my_cpu_offset in CONFIG_PREEMPT Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 48/87] libata: make ata_eh_qc_retry() bump scmd->allowed on bogus failures Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 80/87] Fix a few incorrectly checked [io_]remap_pfn_range() calls Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 69/87] dm snapshot: fix data corruption Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 07/87] can: dev: fix nlmsg size calculation in can_get_size() Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 39/87] mac80211: update sta->last_rx on acked tx frames Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 55/87] xhci: Fix spurious wakeups after S5 on Haswell Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 25/87] nfsd: vfs_llseek() with 32 or 64 bit offsets (hashes) Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 03/87] net: do not call sock_put() on TIMEWAIT sockets Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 19/87] net: fix cipso packet validation when !NETLABEL Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 30/87] perf tools: Fix getrusage() related build failure on glibc trunk Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 45/87] iwlwifi: add new pci id for 6x35 series Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 34/87] tracing: Fix potential out-of-bounds in trace_get_user() Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 51/87] hwmon: (applesmc) Always read until end of data Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 76/87] drm/radeon/atom: workaround vbios bug in transmitter table on rs780 Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 67/87] USB: quirks.c: add one device that cannot deal with suspension Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 68/87] xtensa: don't use alternate signal stack on threads Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 74/87] drm: Prevent overwriting from userspace underallocating core ioctl structs Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 14/87] net: dst: provide accessor function to dst->xfrm Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 75/87] drm: Pad drm_mode_get_connector to 64-bit boundary Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 66/87] wireless: radiotap: fix parsing buffer overrun Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 27/87] zram: allow request end to coincide with disksize Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 11/87] farsync: fix info leak in ioctl Ben Hutchings
2013-11-25 13:44 ` [PATCH 3.2 46/87] iwlwifi: pcie: add SKUs for 6000, 6005 and 6235 series Ben Hutchings
2013-11-26 16:39 ` [PATCH 3.2 00/87] 3.2.53-rc1 review Guenter Roeck
2013-11-26 18:49   ` Ben Hutchings
2013-11-27 11:41 ` Satoru Takeuchi
2013-11-27 14:43   ` Ben Hutchings
2013-11-27 14:45 ` Ben Hutchings
2013-11-27 23:01   ` Satoru Takeuchi
2013-11-28 10:52     ` Satoru Takeuchi
2013-11-28 14:01       ` Ben Hutchings

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=lsq.1385387069.880218928@decadent.org.uk \
    --to=ben@decadent.org.uk \
    --cc=akpm@linux-foundation.org \
    --cc=davem@davemloft.net \
    --cc=linux-kernel@vger.kernel.org \
    --cc=minipli@googlemail.com \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox