summaryrefslogtreecommitdiffstats
path: root/include
diff options
context:
space:
mode:
authorVegard Nossum <vegard.nossum@gmail.com>2008-12-26 02:21:17 +0100
committerDavid S. Miller <davem@davemloft.net>2008-12-26 02:21:17 +0100
commit619e803d3c1b7bcc17c45e81f309d0b9b3df2d5d (patch)
treec2c279dd155e07e96c7a2f483cce6c48c1640cd6 /include
parenttcp: Always set urgent pointer if it's beyond snd_nxt (diff)
downloadlinux-619e803d3c1b7bcc17c45e81f309d0b9b3df2d5d.tar.xz
linux-619e803d3c1b7bcc17c45e81f309d0b9b3df2d5d.zip
netlink: fix (theoretical) overrun in message iteration
See commit 1045b03e07d85f3545118510a587035536030c1c ("netlink: fix overrun in attribute iteration") for a detailed explanation of why this patch is necessary. In short, nlmsg_next() can make "remaining" go negative, and the remaining >= sizeof(...) comparison will promote "remaining" to an unsigned type, which means that the expression will evaluate to true for negative numbers, even though it was not intended. I put "theoretical" in the title because I have no evidence that this can actually happen, but I suspect that a crafted netlink packet can trigger some badness. Note that the last test, which seemingly has the exact same problem (also true for nla_ok()), is perfectly OK, since we already know that remaining is positive. Signed-off-by: Vegard Nossum <vegard.nossum@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'include')
-rw-r--r--include/net/netlink.h2
1 files changed, 1 insertions, 1 deletions
diff --git a/include/net/netlink.h b/include/net/netlink.h
index 46b7764f1774..8a6150a3f4c7 100644
--- a/include/net/netlink.h
+++ b/include/net/netlink.h
@@ -332,7 +332,7 @@ static inline int nlmsg_attrlen(const struct nlmsghdr *nlh, int hdrlen)
*/
static inline int nlmsg_ok(const struct nlmsghdr *nlh, int remaining)
{
- return (remaining >= sizeof(struct nlmsghdr) &&
+ return (remaining >= (int) sizeof(struct nlmsghdr) &&
nlh->nlmsg_len >= sizeof(struct nlmsghdr) &&
nlh->nlmsg_len <= remaining);
}