diff options
author | Martin Murray <murrayma@citi.umich.edu> | 2006-01-10 21:02:29 -0800 |
---|---|---|
committer | Chris Wright <chrisw@sous-sol.org> | 2006-01-14 22:15:30 -0800 |
commit | 7abeff5a23abb2d0edc54cc1cc3acaf886ea98ca (patch) | |
tree | e1f1d2494dea12570bc56913501669cc162ae2d4 /net/netlink | |
parent | 15ee2e069481ce6de3523e4effeddd44c61cc65a (diff) |
[PATCH] Fix DoS in netlink_rcv_skb() (CVE-2006-0035)
Sanity check nlmsg_len during netlink_rcv_skb. An nlmsg_len == 0 can
cause infinite loop in kernel, effectively DoSing machine. Noted by
Martin Murray.
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/netlink')
-rw-r--r-- | net/netlink/af_netlink.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c index a002f2b686f..fc5a735ba0a 100644 --- a/net/netlink/af_netlink.c +++ b/net/netlink/af_netlink.c @@ -1422,7 +1422,7 @@ static int netlink_rcv_skb(struct sk_buff *skb, int (*cb)(struct sk_buff *, while (skb->len >= nlmsg_total_size(0)) { nlh = (struct nlmsghdr *) skb->data; - if (skb->len < nlh->nlmsg_len) + if (nlh->nlmsg_len < NLMSG_HDRLEN || skb->len < nlh->nlmsg_len) return 0; total_len = min(NLMSG_ALIGN(nlh->nlmsg_len), skb->len); |