Message ID | 1357259662.2685.63.camel@bwh-desktop.uk.solarflarecom.com |
---|---|
State | Not Applicable, archived |
Delegated to: | David Miller |
Headers | show |
On Fri, 4 Jan 2013 00:34:22 +0000 Ben Hutchings <bhutchings@solarflare.com> wrote: > From: Eric Dumazet <eric.dumazet@gmail.com> > > commit a4b64fbe482c7766f7925f03067fc637716bfa3f upstream. > > nlmsg_parse() might return an error, so test its return value before > potential random memory accesses. > > Errors introduced in commit 115c9b81928 (rtnetlink: Fix problem with > buffer allocation) > > Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> > Cc: Greg Rose <gregory.v.rose@intel.com> > Signed-off-by: David S. Miller <davem@davemloft.net> Acked-by: Greg Rose <gregory.v.rose@intel.com> > --- > net/core/rtnetlink.c | 18 ++++++++++-------- > 1 files changed, 10 insertions(+), 8 deletions(-) > > diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c > index e41ce2a..49f281e 100644 > --- a/net/core/rtnetlink.c > +++ b/net/core/rtnetlink.c > @@ -1044,11 +1044,12 @@ static int rtnl_dump_ifinfo(struct sk_buff > *skb, struct netlink_callback *cb) > rcu_read_lock(); > > - nlmsg_parse(cb->nlh, sizeof(struct rtgenmsg), tb, IFLA_MAX, > - ifla_policy); > + if (nlmsg_parse(cb->nlh, sizeof(struct rtgenmsg), tb, > IFLA_MAX, > + ifla_policy) >= 0) { > > - if (tb[IFLA_EXT_MASK]) > - ext_filter_mask = nla_get_u32(tb[IFLA_EXT_MASK]); > + if (tb[IFLA_EXT_MASK]) > + ext_filter_mask = > nla_get_u32(tb[IFLA_EXT_MASK]); > + } > > for (h = s_h; h < NETDEV_HASHENTRIES; h++, s_idx = 0) { > idx = 0; > @@ -1874,10 +1875,11 @@ static u16 rtnl_calcit(struct sk_buff *skb, > struct nlmsghdr *nlh) u32 ext_filter_mask = 0; > u16 min_ifinfo_dump_size = 0; > > - nlmsg_parse(nlh, sizeof(struct rtgenmsg), tb, IFLA_MAX, > ifla_policy); - > - if (tb[IFLA_EXT_MASK]) > - ext_filter_mask = nla_get_u32(tb[IFLA_EXT_MASK]); > + if (nlmsg_parse(nlh, sizeof(struct rtgenmsg), tb, IFLA_MAX, > + ifla_policy) >= 0) { > + if (tb[IFLA_EXT_MASK]) > + ext_filter_mask = > nla_get_u32(tb[IFLA_EXT_MASK]); > + } > > if (!ext_filter_mask) > return NLMSG_GOODSIZE; > -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c index e41ce2a..49f281e 100644 --- a/net/core/rtnetlink.c +++ b/net/core/rtnetlink.c @@ -1044,11 +1044,12 @@ static int rtnl_dump_ifinfo(struct sk_buff *skb, struct netlink_callback *cb) rcu_read_lock(); - nlmsg_parse(cb->nlh, sizeof(struct rtgenmsg), tb, IFLA_MAX, - ifla_policy); + if (nlmsg_parse(cb->nlh, sizeof(struct rtgenmsg), tb, IFLA_MAX, + ifla_policy) >= 0) { - if (tb[IFLA_EXT_MASK]) - ext_filter_mask = nla_get_u32(tb[IFLA_EXT_MASK]); + if (tb[IFLA_EXT_MASK]) + ext_filter_mask = nla_get_u32(tb[IFLA_EXT_MASK]); + } for (h = s_h; h < NETDEV_HASHENTRIES; h++, s_idx = 0) { idx = 0; @@ -1874,10 +1875,11 @@ static u16 rtnl_calcit(struct sk_buff *skb, struct nlmsghdr *nlh) u32 ext_filter_mask = 0; u16 min_ifinfo_dump_size = 0; - nlmsg_parse(nlh, sizeof(struct rtgenmsg), tb, IFLA_MAX, ifla_policy); - - if (tb[IFLA_EXT_MASK]) - ext_filter_mask = nla_get_u32(tb[IFLA_EXT_MASK]); + if (nlmsg_parse(nlh, sizeof(struct rtgenmsg), tb, IFLA_MAX, + ifla_policy) >= 0) { + if (tb[IFLA_EXT_MASK]) + ext_filter_mask = nla_get_u32(tb[IFLA_EXT_MASK]); + } if (!ext_filter_mask) return NLMSG_GOODSIZE;