From: Eugene Teo <eteo@redhat.com>
Date: Mon, 15 Sep 2008 13:45:55 +0800
Subject: [net] netlink: fix overrun in attribute iteration
Message-id: 20080915054555.GA7605@kernel.sg
O-Subject: [RHEL5.4 patch] BZ#462283 kernel: netlink: fix overrun in attribute iteration
Bugzilla: 462283
RH-Acked-by: David Miller <davem@redhat.com>
This is for bz#462283.
kmemcheck reported this:
kmemcheck: Caught 16-bit read from uninitialized memory (f6c1ba30)
0500110001508abf050010000500000002017300140000006f72672e66726565
i i i i i i i i i i i i i u u u u u u u u u u u u u u u u u u u
^
It turns out that remaining in nla_ok() can become negative due to
alignment in nla_next(). But GCC promotes "remaining" to unsigned in the
test against sizeof(*nla) above. Therefore the test succeeds, and the
nla_for_each_attr() may access memory outside the received buffer.
Backport of upstream commit: 1045b03e07d85f3545118510a587035536030c1c
Signed-off-by: Eugene Teo <eteo@redhat.com>
diff --git a/include/net/netlink.h b/include/net/netlink.h
index 3f65c80..d200b99 100644
--- a/include/net/netlink.h
+++ b/include/net/netlink.h
@@ -655,7 +655,7 @@ static inline int nla_len(const struct nlattr *nla)
*/
static inline int nla_ok(const struct nlattr *nla, int remaining)
{
- return remaining >= sizeof(*nla) &&
+ return remaining >= (int) sizeof(*nla) &&
nla->nla_len >= sizeof(*nla) &&
nla->nla_len <= remaining;
}
distrib
>
Scientific%20Linux
>
5x
>
x86_64
>
by-pkgid
>
fc11cd6e1c513a17304da94a5390f3cd
>
files
>
2349
