Commit aa68c20ff32f9a6fb3ca7f93ed9beae01899d00d
Committed by
David S. Miller
1 parent
6f705d8cfc
Exists in
ti-lsk-linux-4.1.y
and in
10 other branches
bridge: Sanitize IFLA_EXT_MASK for AF_BRIDGE:RTM_GETLINK
Only search for IFLA_EXT_MASK if the message actually carries a ifinfomsg header and validate minimal length requirements for IFLA_EXT_MASK. Fixes: 6cbdceeb ("bridge: Dump vlan information from a bridge port") Cc: Vlad Yasevich <vyasevic@redhat.com> Signed-off-by: Thomas Graf <tgraf@suug.ch> Signed-off-by: David S. Miller <davem@davemloft.net>
Showing 1 changed file with 12 additions and 5 deletions Side-by-side Diff
net/core/rtnetlink.c
... | ... | @@ -2685,13 +2685,20 @@ |
2685 | 2685 | int idx = 0; |
2686 | 2686 | u32 portid = NETLINK_CB(cb->skb).portid; |
2687 | 2687 | u32 seq = cb->nlh->nlmsg_seq; |
2688 | - struct nlattr *extfilt; | |
2689 | 2688 | u32 filter_mask = 0; |
2690 | 2689 | |
2691 | - extfilt = nlmsg_find_attr(cb->nlh, sizeof(struct ifinfomsg), | |
2692 | - IFLA_EXT_MASK); | |
2693 | - if (extfilt) | |
2694 | - filter_mask = nla_get_u32(extfilt); | |
2690 | + if (nlmsg_len(cb->nlh) > sizeof(struct ifinfomsg)) { | |
2691 | + struct nlattr *extfilt; | |
2692 | + | |
2693 | + extfilt = nlmsg_find_attr(cb->nlh, sizeof(struct ifinfomsg), | |
2694 | + IFLA_EXT_MASK); | |
2695 | + if (extfilt) { | |
2696 | + if (nla_len(extfilt) < sizeof(filter_mask)) | |
2697 | + return -EINVAL; | |
2698 | + | |
2699 | + filter_mask = nla_get_u32(extfilt); | |
2700 | + } | |
2701 | + } | |
2695 | 2702 | |
2696 | 2703 | rcu_read_lock(); |
2697 | 2704 | for_each_netdev_rcu(net, dev) { |