Patchwork [3.5.y.z,extended,stable] Patch "sock_diag: Fix out-of-bounds access to sock_diag_handlers[]" has been added to staging queue

mail settings
Submitter Luis Henriques
Date Feb. 28, 2013, 11:59 a.m.
Message ID <>
Download mbox | patch
Permalink /patch/223950/
State New
Headers show


Luis Henriques - Feb. 28, 2013, 11:59 a.m.
This is a note to let you know that I have just added a patch titled

    sock_diag: Fix out-of-bounds access to sock_diag_handlers[]

to the linux-3.5.y-queue branch of the 3.5.y.z extended stable tree 
which can be found at:;a=shortlog;h=refs/heads/linux-3.5.y-queue

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.5.y.z tree, see



From e83c00b5daeaeef5635926d9e907f100f1bfa419 Mon Sep 17 00:00:00 2001
From: Mathias Krause <>
Date: Sat, 23 Feb 2013 01:13:47 +0000
Subject: [PATCH] sock_diag: Fix out-of-bounds access to sock_diag_handlers[]

commit 6e601a53566d84e1ffd25e7b6fe0b6894ffd79c0 upstream.

Userland can send a netlink message requesting SOCK_DIAG_BY_FAMILY
with a family greater or equal then AF_MAX -- the array size of
sock_diag_handlers[]. The current code does not test for this
condition therefore is vulnerable to an out-of-bound access opening
doors for a privilege escalation.

Signed-off-by: Mathias Krause <>
Acked-by: Eric Dumazet <>
Signed-off-by: David S. Miller <>
Signed-off-by: Luis Henriques <>
 net/core/sock_diag.c | 3 +++
 1 file changed, 3 insertions(+)



diff --git a/net/core/sock_diag.c b/net/core/sock_diag.c
index 5fd1467..964a92c 100644
--- a/net/core/sock_diag.c
+++ b/net/core/sock_diag.c
@@ -126,6 +126,9 @@  static int __sock_diag_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
 	if (nlmsg_len(nlh) < sizeof(*req))
 		return -EINVAL;

+	if (req->sdiag_family >= AF_MAX)
+		return -EINVAL;
 	hndl = sock_diag_lock_handler(req->sdiag_family);
 	if (hndl == NULL)
 		err = -ENOENT;