Eric Lee / smarc-ti-linux-kernel

Download as
Browse Code ยป

Commit aa68c20ff32f9a6fb3ca7f93ed9beae01899d00d

Authored by Thomas Graf
Committed by David S. Miller
1 parent 6f705d8cfc
Exists in ti-lsk-linux-4.1.y and in 10 other branches dlt-processor-sdk-linux-03.00.00.04, processor-sdk-linux-02.00.01, smarc-ti-lsk-linux-4.1.y, smarct3x-processor-sdk-04.01.00.06, smarct3x-processor-sdk-linux-02.00.01, smarct3x-processor-sdk-linux-03.00.00.04, smarct4x-800-processor-sdk-linux-02.00.01, smarct4x-processor-sdk-04.01.00.06, smarct4x-processor-sdk-linux-02.00.01, smarct4x-processor-sdk-linux-03.00.00.04

bridge: Sanitize IFLA_EXT_MASK for AF_BRIDGE:RTM_GETLINK 

Only search for IFLA_EXT_MASK if the message actually carries a
ifinfomsg header and validate minimal length requirements for
IFLA_EXT_MASK.

Fixes: 6cbdceeb ("bridge: Dump vlan information from a bridge port")
Cc: Vlad Yasevich <vyasevic@redhat.com>
Signed-off-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>

Showing 1 changed file with 12 additions and 5 deletions Side-by-side Diff

net/core/rtnetlink.c
Diff comments   View file @ aa68c20
... ... @@ -2685,13 +2685,20 @@
2685 2685 int idx = 0;
2686 2686 u32 portid = NETLINK_CB(cb->skb).portid;
2687 2687 u32 seq = cb->nlh->nlmsg_seq;
2688   - struct nlattr *extfilt;
2689 2688 u32 filter_mask = 0;
2690 2689  
2691   - extfilt = nlmsg_find_attr(cb->nlh, sizeof(struct ifinfomsg),
2692   - IFLA_EXT_MASK);
2693   - if (extfilt)
2694   - filter_mask = nla_get_u32(extfilt);
  2690 + if (nlmsg_len(cb->nlh) > sizeof(struct ifinfomsg)) {
  2691 + struct nlattr *extfilt;
  2692 +
  2693 + extfilt = nlmsg_find_attr(cb->nlh, sizeof(struct ifinfomsg),
  2694 + IFLA_EXT_MASK);
  2695 + if (extfilt) {
  2696 + if (nla_len(extfilt) < sizeof(filter_mask))
  2697 + return -EINVAL;
  2698 +
  2699 + filter_mask = nla_get_u32(extfilt);
  2700 + }
  2701 + }
2695 2702  
2696 2703 rcu_read_lock();
2697 2704 for_each_netdev_rcu(net, dev) {