| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 22 Feb 2016 22:30:46 +0300
From: Dan Carpenter <dan.carpenter@...cle.com>
To: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Cc: Julia Lawall <julia.lawall@...6.fr>,
Masanari Iida <standby24x7@...il.com>,
Alison Schofield <amsfield22@...il.com>,
Shraddha Barke <shraddha.6596@...il.com>,
devel@...verdev.osuosl.org, linux-kernel@...r.kernel.org,
kernel-janitors@...r.kernel.org
Subject: [patch 1/6] staging: gdm72xx: underflow in netlink_rcv_cb()
If nlh->nlmsg_len is less than ND_IFINDEX_LEN we end up trying to memcpy
a negative size. I also re-ordered slighty the condition to make it
more uniform.
Signed-off-by: Dan Carpenter <dan.carpenter@...cle.com>
diff --git a/drivers/staging/gdm72xx/netlink_k.c b/drivers/staging/gdm72xx/netlink_k.c
index cf0b47c..4089b17 100644
--- a/drivers/staging/gdm72xx/netlink_k.c
+++ b/drivers/staging/gdm72xx/netlink_k.c
@@ -55,7 +55,8 @@ static void netlink_rcv_cb(struct sk_buff *skb)
if (skb->len >= NLMSG_HDRLEN) {
nlh = (struct nlmsghdr *)skb->data;
- if (skb->len < nlh->nlmsg_len ||
+ if (nlh->nlmsg_len < ND_IFINDEX_LEN ||
+ nlh->nlmsg_len > skb->len ||
nlh->nlmsg_len > ND_MAX_MSG_LEN) {
netdev_err(skb->dev, "Invalid length (%d,%d)\n",
skb->len, nlh->nlmsg_len);
Powered by blists - more mailing lists