[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 19 Sep 2007 09:16:00 +0200
From: Holger Eitzenberger <holger@...eitzenberger.de>
To: David Miller <davem@...emloft.net>
Cc: netdev@...r.kernel.org
Subject: Re: [FIX NETLINK] properly check arguments to netlink_bind()
David Miller <davem@...emloft.net> writes:
>> > while going through going netlink code I found out that netlink_bind()
>> > does not properly check bind parameters. I checked both 2.6.23-rc1 as
>> > well as 2.6.16.53, both are affected.
> Firstly, you patch compares the address _pointer_ against
> the minimum length. That's obviously wrong.
True, the message send later fixed that.
> And if you check the call sites of the protocol ->bind() methods, they
> all use on-stack buffer for the address object which is at least
> MAX_SOCK_ADDR bytes in length so that the bind methods don't have to
> check the size if they don't want to.
Also true, but in that case you still end up accessing uninitialized
data. Also note that e. g. inet_bind() checks explicitely for that and
it's not clear to me why netlink_bind() is different. Maybe you just
help me figuring out.
Another point is that simply calling
bind(nl_fd, (struct sockaddr *)&an_int, sizeof(int));
will not return EINVAL but depends on the randomn data after an_int.
/holger
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists