Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit a4b64fbe authored by Eric Dumazet's avatar Eric Dumazet Committed by David S. Miller
Browse files

rtnetlink: fix rtnl_calcit() and rtnl_dump_ifinfo() 



nlmsg_parse() might return an error, so test its return value before
potential random memory accesses.

Errors introduced in commit 115c9b81 (rtnetlink: Fix problem with
buffer allocation)

Signed-off-by: default avatarEric Dumazet <eric.dumazet@gmail.com>
Cc: Greg Rose <gregory.v.rose@intel.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 709e1b5c

net/core/rtnetlink.c

+10 −8
Original line number Diff line number Diff line
@@ -1060,11 +1060,12 @@ static int rtnl_dump_ifinfo(struct sk_buff *skb, struct netlink_callback *cb) 
	rcu_read_lock();

	cb->seq = net->dev_base_seq;



	nlmsg_parse(cb->nlh, sizeof(struct rtgenmsg), tb, IFLA_MAX,

		    ifla_policy);

	if (nlmsg_parse(cb->nlh, sizeof(struct rtgenmsg), tb, IFLA_MAX,

			ifla_policy) >= 0) {



		if (tb[IFLA_EXT_MASK])

			ext_filter_mask = nla_get_u32(tb[IFLA_EXT_MASK]);

	}



	for (h = s_h; h < NETDEV_HASHENTRIES; h++, s_idx = 0) {

		idx = 0;
@@ -1900,10 +1901,11 @@ static u16 rtnl_calcit(struct sk_buff *skb, struct nlmsghdr *nlh) 
	u32 ext_filter_mask = 0;

	u16 min_ifinfo_dump_size = 0;



	nlmsg_parse(nlh, sizeof(struct rtgenmsg), tb, IFLA_MAX, ifla_policy);



	if (nlmsg_parse(nlh, sizeof(struct rtgenmsg), tb, IFLA_MAX,

			ifla_policy) >= 0) {

		if (tb[IFLA_EXT_MASK])

			ext_filter_mask = nla_get_u32(tb[IFLA_EXT_MASK]);

	}



	if (!ext_filter_mask)

		return NLMSG_GOODSIZE;