From patchwork Mon Sep 30 20:03:07 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mathias Krause X-Patchwork-Id: 279246 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id A2B5B2C0119 for ; Tue, 1 Oct 2013 06:03:43 +1000 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756451Ab3I3UDi (ORCPT ); Mon, 30 Sep 2013 16:03:38 -0400 Received: from mail-bk0-f50.google.com ([209.85.214.50]:33191 "EHLO mail-bk0-f50.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1756402Ab3I3UD2 (ORCPT ); Mon, 30 Sep 2013 16:03:28 -0400 Received: by mail-bk0-f50.google.com with SMTP id mz11so2321175bkb.9 for ; Mon, 30 Sep 2013 13:03:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=iZ17+3ZOzLTEiRKIhs/MDatupnWAoGO3h0whbD32Nwo=; b=QBFx+aI0Zb+dsPa5nHiv7EmSleyu/mWQQ4UT2BTEwsRjMaOyIjFHEJz7xqlOfLE206 2/Y+0muHEwbVWwNkTF1Il6bNwcPCWHGjJuuwqdVg7EiUH8LuaevSGX3dGvFiOuecPDih VOlVd1jqLHQXDy5E8HgHFF3tafSEDGCcteVOHtvmd+3T+cXD4eAAYg+yN63B8IEDAOyu qFd3MuIski4gHIka+8oMnLEiNpuBLzMUwzHRADwHczMIbyMcOxjelVxzmvMvbHQCXQLJ uam2RlzBx0neQYXxNcfmYCMHyaaBx8OsBZxpCP+yguyJJ/dnMOYv0zjHPpom5p08vmtn UgXQ== X-Received: by 10.205.22.71 with SMTP id qv7mr20635241bkb.20.1380571406819; Mon, 30 Sep 2013 13:03:26 -0700 (PDT) Received: from jig.fritz.box (pD9EB24D9.dip0.t-ipconnect.de. [217.235.36.217]) by mx.google.com with ESMTPSA id on10sm1332531bkb.13.1969.12.31.16.00.00 (version=TLSv1.2 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 30 Sep 2013 13:03:26 -0700 (PDT) From: Mathias Krause To: Evgeniy Polyakov Cc: Mathias Krause , netdev@vger.kernel.org Subject: [PATCH 2/4] connector: use nlmsg_len() to check message length Date: Mon, 30 Sep 2013 22:03:07 +0200 Message-Id: <1380571389-15343-3-git-send-email-minipli@googlemail.com> X-Mailer: git-send-email 1.7.10.4 In-Reply-To: <1380571389-15343-1-git-send-email-minipli@googlemail.com> References: <1380571389-15343-1-git-send-email-minipli@googlemail.com> Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org The current code tests the length of the whole netlink message to be at least as long to fit a cn_msg. This is wrong as nlmsg_len includes the length of the netlink message header. Use nlmsg_len() instead to fix this "off-by-NLMSG_HDRLEN" size check. Cc: stable@vger.kernel.org # v2.6.14+ Signed-off-by: Mathias Krause --- drivers/connector/connector.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/connector/connector.c b/drivers/connector/connector.c index 6ecfa75..0daa11e 100644 --- a/drivers/connector/connector.c +++ b/drivers/connector/connector.c @@ -157,17 +157,18 @@ static int cn_call_callback(struct sk_buff *skb) static void cn_rx_skb(struct sk_buff *__skb) { struct nlmsghdr *nlh; - int err; struct sk_buff *skb; + int len, err; skb = skb_get(__skb); if (skb->len >= NLMSG_HDRLEN) { nlh = nlmsg_hdr(skb); + len = nlmsg_len(nlh); - if (nlh->nlmsg_len < sizeof(struct cn_msg) || + if (len < (int)sizeof(struct cn_msg) || skb->len < nlh->nlmsg_len || - nlh->nlmsg_len > CONNECTOR_MAX_MSG_SIZE) { + len > CONNECTOR_MAX_MSG_SIZE) { kfree_skb(skb); return; }