Vegard Nossum
619e803d3c
netlink: fix (theoretical) overrun in message iteration ...
See commit 1045b03e07d85f3545118510a587035536030c1c ("netlink: fix
overrun in attribute iteration") for a detailed explanation of why
this patch is necessary.
In short, nlmsg_next() can make "remaining" go negative, and the
remaining >= sizeof(...) comparison will promote "remaining" to an
unsigned type, which means that the expression will evaluate to
true for negative numbers, even though it was not intended.
I put "theoretical" in the title because I have no evidence that
this can actually happen, but I suspect that a crafted netlink
packet can trigger some badness.
Note that the last test, which seemingly has the exact same
problem (also true for nla_ok()), is perfectly OK, since we
already know that remaining is positive.
Signed-off-by: Vegard Nossum <vegard.nossum@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2008-12-25 17:21:17 -08:00
2008-10-22 18:54:47 -05:00
2008-11-30 12:17:28 +01:00
2008-12-17 15:44:58 -08:00
2007-10-10 16:54:51 -07:00
2008-11-25 18:20:13 +01:00
2008-12-10 16:29:24 -08:00
2008-12-17 15:48:31 -08:00
2008-12-25 16:57:24 -08:00
2008-09-12 16:30:20 -07:00
2008-07-14 22:42:19 -07:00
2008-01-28 15:11:17 -08:00
2008-08-14 15:33:21 -07:00
2007-04-26 15:50:17 -07:00
2008-11-26 15:32:27 -08:00
2007-10-10 16:55:55 -07:00
2008-01-31 19:27:33 -08:00
2006-12-02 21:22:55 -08:00
2008-02-12 17:53:34 -08:00
2007-10-10 16:53:56 -07:00
2008-12-19 15:22:54 -05:00
2008-11-19 15:44:53 -08:00
2008-10-10 10:16:34 -04:00
2008-07-19 22:35:47 -07:00
2008-12-21 20:09:50 -08:00
2006-03-20 22:42:39 -08:00
2008-11-27 00:12:47 -08:00
2006-03-20 22:42:39 -08:00
2006-03-20 22:42:39 -08:00
2007-10-10 16:52:50 -07:00
2008-11-27 23:04:13 -08:00
2008-10-08 17:24:16 -07:00
2008-01-28 14:55:58 -08:00
2008-11-25 17:35:18 -08:00
2008-01-31 19:27:02 -08:00
2008-07-05 19:01:28 -07:00
2008-11-25 17:35:18 -08:00
2008-07-05 21:26:57 -07:00
2008-11-26 15:24:32 -08:00
2008-06-03 16:36:54 -07:00
2008-07-18 04:04:22 -07:00
2008-12-05 09:32:59 -05:00
2008-12-12 13:48:30 -05:00
2008-07-22 14:21:58 -07:00
2007-01-26 01:04:55 -08:00
2008-10-07 12:41:01 -07:00
2008-04-03 14:28:30 -07:00
2008-08-28 02:53:51 -07:00
2008-04-13 23:40:51 -07:00
2008-03-28 16:35:27 -07:00
2008-11-23 17:22:55 -08:00
2008-10-01 07:46:49 -07:00
2008-11-16 19:40:17 -08:00
2008-06-11 21:00:38 -07:00
2006-12-22 11:12:07 -08:00
2008-03-04 13:48:30 -08:00
2008-08-14 15:33:21 -07:00
2008-06-11 21:00:38 -07:00
2008-02-05 02:54:16 -08:00
2008-11-19 15:44:53 -08:00
2008-11-25 18:00:48 -08:00
2008-07-25 02:54:40 -07:00
2008-06-11 21:00:38 -07:00
2008-10-09 12:03:17 -07:00
2008-10-08 11:16:45 -07:00
2007-04-25 22:25:31 -07:00
2008-06-16 18:50:49 -07:00
2008-11-21 11:42:55 -05:00
2007-10-10 16:49:07 -07:00
2008-02-29 11:46:17 -08:00
2008-03-31 21:02:47 -07:00
2008-03-31 21:02:47 -07:00
2008-03-28 16:28:36 -07:00
2008-12-19 15:24:00 -05:00
2008-04-12 13:43:22 +09:00
2008-11-06 00:49:37 -05:00
2008-11-12 00:54:54 -08:00
2008-11-25 17:14:31 -08:00
2006-10-04 03:38:54 -04:00
2008-01-28 14:53:38 -08:00
2008-10-10 10:16:34 -04:00
2008-12-25 17:21:17 -08:00
2007-02-12 09:48:44 -08:00
2006-09-22 14:55:04 -07:00
2008-11-16 23:01:49 -08:00
2008-09-23 01:05:56 -07:00
2008-12-15 23:41:09 -08:00
2008-03-22 16:56:51 -07:00
2008-01-28 14:54:29 -08:00
2007-04-25 22:27:55 -07:00
2008-11-21 16:45:22 -08:00
2008-06-17 17:08:32 -07:00
2008-10-01 07:35:39 -07:00
2008-04-16 00:46:52 -07:00
2008-11-13 22:56:30 -08:00
2008-11-06 13:51:50 -08:00
2008-06-11 21:00:38 -07:00
2008-11-25 21:17:14 -08:00
2008-07-05 21:25:39 -07:00
2006-01-03 13:10:57 -08:00
2008-12-15 23:43:36 -08:00
2008-11-21 16:45:22 -08:00
2008-06-14 17:04:49 -07:00
2008-11-16 19:39:21 -08:00
2008-10-29 01:41:45 -07:00
2008-06-16 18:32:46 -07:00
2008-11-25 16:41:27 -05:00
2007-02-08 13:34:36 -08:00
2007-04-25 22:24:32 -07:00
2008-11-25 18:00:48 -08:00
619e803d3c