]> git.kernelconcepts.de Git - karo-tx-linux.git/commitdiff
projects / karo-tx-linux.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 15ee2e0)
[PATCH] Fix DoS in netlink_rcv_skb() (CVE-2006-0035)
authorMartin Murray <murrayma@citi.umich.edu>
Wed, 11 Jan 2006 05:02:29 +0000 (21:02 -0800)
committerChris Wright <chrisw@sous-sol.org>
Sun, 15 Jan 2006 06:15:30 +0000 (22:15 -0800)
Sanity check nlmsg_len during netlink_rcv_skb.  An nlmsg_len == 0 can
cause infinite loop in kernel, effectively DoSing machine.  Noted by
Martin Murray.

Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/netlink/af_netlink.c patch | blob | history

diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index a002f2b686f25e2cc3d8db5abf1fc0760c26e7c3..fc5a735ba0ac6eacb6038ccd40a988538a0d6bf3 100644 (file)
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -1422,7 +1422,7 @@ static int netlink_rcv_skb(struct sk_buff *skb, int (*cb)(struct sk_buff *,
        while (skb->len >= nlmsg_total_size(0)) {
                nlh = (struct nlmsghdr *) skb->data;
 
-               if (skb->len < nlh->nlmsg_len)
+               if (nlh->nlmsg_len < NLMSG_HDRLEN || skb->len < nlh->nlmsg_len)
                        return 0;
 
                total_len = min(NLMSG_ALIGN(nlh->nlmsg_len), skb->len);
Linux kernel for KaRo TX COM modules