Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit aa68c20f authored by Thomas Graf's avatar Thomas Graf Committed by David S. Miller
Browse files

bridge: Sanitize IFLA_EXT_MASK for AF_BRIDGE:RTM_GETLINK 



Only search for IFLA_EXT_MASK if the message actually carries a
ifinfomsg header and validate minimal length requirements for
IFLA_EXT_MASK.

Fixes: 6cbdceeb ("bridge: Dump vlan information from a bridge port")
Cc: Vlad Yasevich <vyasevic@redhat.com>
Signed-off-by: default avatarThomas Graf <tgraf@suug.ch>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 6f705d8c

net/core/rtnetlink.c

+12 −5
Original line number Diff line number Diff line
@@ -2685,13 +2685,20 @@ static int rtnl_bridge_getlink(struct sk_buff *skb, struct netlink_callback *cb) 
	int idx = 0;

	u32 portid = NETLINK_CB(cb->skb).portid;

	u32 seq = cb->nlh->nlmsg_seq;

	struct nlattr *extfilt;

	u32 filter_mask = 0;



	if (nlmsg_len(cb->nlh) > sizeof(struct ifinfomsg)) {

		struct nlattr *extfilt;



		extfilt = nlmsg_find_attr(cb->nlh, sizeof(struct ifinfomsg),

					  IFLA_EXT_MASK);

	if (extfilt)

		if (extfilt) {

			if (nla_len(extfilt) < sizeof(filter_mask))

				return -EINVAL;



			filter_mask = nla_get_u32(extfilt);

		}

	}



	rcu_read_lock();

	for_each_netdev_rcu(net, dev) {