| Message ID | 20200831202805.8ca5a2fe1ffb.I46f0d5bee0a774517aeec539620895a473dd2299@changeid |
|---|---|
| State | Accepted |
| Delegated to: | David Miller |
| Headers | show |
| Series | netlink: policy: correct validation type check | expand |
From: Johannes Berg <johannes@sipsolutions.net> Date: Mon, 31 Aug 2020 20:28:05 +0200 > From: Johannes Berg <johannes.berg@intel.com> > > In the policy export for binary attributes I erroneously used > a != NLA_VALIDATE_NONE comparison instead of checking for the > two possible values, which meant that if a validation function > pointer ended up aliasing the min/max as negatives, we'd hit > a warning in nla_get_range_unsigned(). > > Fix this to correctly check for only the two types that should > be handled here, i.e. range with or without warn-too-long. > > Reported-by: syzbot+353df1490da781637624@syzkaller.appspotmail.com > Fixes: 8aa26c575fb3 ("netlink: make NLA_BINARY validation more flexible") > Signed-off-by: Johannes Berg <johannes.berg@intel.com> Applied, thank you.
diff --git a/net/netlink/policy.c b/net/netlink/policy.c index 7b1f50531cd3..5c9e7530865f 100644 --- a/net/netlink/policy.c +++ b/net/netlink/policy.c @@ -264,7 +264,8 @@ int netlink_policy_dump_write(struct sk_buff *skb, unsigned long _state) else type = NL_ATTR_TYPE_BINARY; - if (pt->validation_type != NLA_VALIDATE_NONE) { + if (pt->validation_type == NLA_VALIDATE_RANGE || + pt->validation_type == NLA_VALIDATE_RANGE_WARN_TOO_LONG) { struct netlink_range_validation range; nla_get_range_unsigned(pt, &range);