| Message ID | 1362052777-21211-1-git-send-email-luis.henriques@canonical.com |
|---|---|
| State | New |
| Headers | show |
diff --git a/net/core/sock_diag.c b/net/core/sock_diag.c index 5fd1467..964a92c 100644 --- a/net/core/sock_diag.c +++ b/net/core/sock_diag.c @@ -126,6 +126,9 @@ static int __sock_diag_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh) if (nlmsg_len(nlh) < sizeof(*req)) return -EINVAL; + if (req->sdiag_family >= AF_MAX) + return -EINVAL; + hndl = sock_diag_lock_handler(req->sdiag_family); if (hndl == NULL) err = -ENOENT;
This is a note to let you know that I have just added a patch titled sock_diag: Fix out-of-bounds access to sock_diag_handlers[] to the linux-3.5.y-queue branch of the 3.5.y.z extended stable tree which can be found at: http://kernel.ubuntu.com/git?p=ubuntu/linux.git;a=shortlog;h=refs/heads/linux-3.5.y-queue If you, or anyone else, feels it should not be added to this tree, please reply to this email. For more information about the 3.5.y.z tree, see https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable Thanks. -Luis ------ From e83c00b5daeaeef5635926d9e907f100f1bfa419 Mon Sep 17 00:00:00 2001 From: Mathias Krause <minipli@googlemail.com> Date: Sat, 23 Feb 2013 01:13:47 +0000 Subject: [PATCH] sock_diag: Fix out-of-bounds access to sock_diag_handlers[] commit 6e601a53566d84e1ffd25e7b6fe0b6894ffd79c0 upstream. Userland can send a netlink message requesting SOCK_DIAG_BY_FAMILY with a family greater or equal then AF_MAX -- the array size of sock_diag_handlers[]. The current code does not test for this condition therefore is vulnerable to an out-of-bound access opening doors for a privilege escalation. Signed-off-by: Mathias Krause <minipli@googlemail.com> Acked-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Luis Henriques <luis.henriques@canonical.com> --- net/core/sock_diag.c | 3 +++ 1 file changed, 3 insertions(+) -- 1.8.1.2