linux-kernel - [patch 1/6] staging: gdm72xx: underflow in netlink_rcv

lists.openwall.net		lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC
Open Source and information security mailing list archives

Hash Suite: Windows password security audit tool. GUI, reports in PDF.

[<prev] [next>] [day] [month] [year] [list]

Message-ID: <20160222193046.GA23565@mwanda>
Date:	Mon, 22 Feb 2016 22:30:46 +0300
From:	Dan Carpenter <dan.carpenter@...cle.com>
To:	Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Cc:	Julia Lawall <julia.lawall@...6.fr>,
	Masanari Iida <standby24x7@...il.com>,
	Alison Schofield <amsfield22@...il.com>,
	Shraddha Barke <shraddha.6596@...il.com>,
	devel@...verdev.osuosl.org, linux-kernel@...r.kernel.org,
	kernel-janitors@...r.kernel.org
Subject: [patch 1/6] staging: gdm72xx: underflow in netlink_rcv_cb()

If nlh->nlmsg_len is less than ND_IFINDEX_LEN we end up trying to memcpy
a negative size.  I also re-ordered slighty the condition to make it
more uniform.

Signed-off-by: Dan Carpenter <dan.carpenter@...cle.com>

diff --git a/drivers/staging/gdm72xx/netlink_k.c b/drivers/staging/gdm72xx/netlink_k.c
index cf0b47c..4089b17 100644
--- a/drivers/staging/gdm72xx/netlink_k.c
+++ b/drivers/staging/gdm72xx/netlink_k.c
@@ -55,7 +55,8 @@ static void netlink_rcv_cb(struct sk_buff *skb)
 	if (skb->len >= NLMSG_HDRLEN) {
 		nlh = (struct nlmsghdr *)skb->data;
 
-		if (skb->len < nlh->nlmsg_len ||
+		if (nlh->nlmsg_len < ND_IFINDEX_LEN ||
+		    nlh->nlmsg_len > skb->len ||
 		    nlh->nlmsg_len > ND_MAX_MSG_LEN) {
 			netdev_err(skb->dev, "Invalid length (%d,%d)\n",
 				   skb->len, nlh->nlmsg_len);