diff mbox

[Lucid,Precise/lts-backport-quantal,CVE-2014-3144,CVE-2014-3145] filter: prevent nla extensions to peek beyond the end of the message

Message ID 1401978713-21362-1-git-send-email-luis.henriques@canonical.com
State New
Headers show

Commit Message

Luis Henriques June 5, 2014, 2:31 p.m. UTC 
Following this email, I'm sending the CVE-2014-3144 and CVE-2014-3145
fix (same commit), both for Lucid and lts-backport-quantal.

The backport of the fix is based on David Miller's backports for 3.2.y
and 3.4.y stable kernels.  However, the original backport contained
what I initially thought was duplicated code:


After reporting upstream[1], it ended up being a bug in patch (the
tool), and Mathias Krause provided a correct fix for these 2 kernels.

[1] http://thread.gmane.org/gmane.linux.kernel.stable/92920/focus=1718967

Mathias Krause (1):
  filter: prevent nla extensions to peek beyond the end of the message

 net/core/filter.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)
diff mbox

Patch

diff --git a/net/core/filter.c b/net/core/filter.c
index 5dea452..5b4d7ec 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -336,11 +336,15 @@  load_b:

                        if (skb_is_nonlinear(skb))
                                return 0;
+                       if (skb->len < sizeof(struct nlattr))
+                               return 0;
+                       if (skb->len < sizeof(struct nlattr))
+                               return 0;
                        if (A > skb->len - sizeof(struct nlattr))
                                return 0;

                        nla = (struct nlattr *)&skb->data[A];
-                       if (nla->nla_len > A - skb->len)
+                       if (nla->nla_len > skb->len - A)
                                return 0;

                        nla = nla_find_nested(nla, X);