From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751842AbdAMMCd (ORCPT ); Fri, 13 Jan 2017 07:02:33 -0500 Received: from mail.linuxfoundation.org ([140.211.169.12]:46430 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751810AbdAMMC1 (ORCPT ); Fri, 13 Jan 2017 07:02:27 -0500 From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Mathias Krause , Roopa Prabhu , "David S. Miller" Subject: [PATCH 4.9 16/59] rtnl: stats - add missing netlink message size checks Date: Fri, 13 Jan 2017 13:01:23 +0100 Message-Id: <20170113113839.979664599@linuxfoundation.org> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20170113113839.364876751@linuxfoundation.org> References: <20170113113839.364876751@linuxfoundation.org> User-Agent: quilt/0.65 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.9-stable review patch. If anyone has any objections, please let me know. ------------------ From: Mathias Krause [ Upstream commit 4775cc1f2d5abca894ac32774eefc22c45347d1c ] We miss to check if the netlink message is actually big enough to contain a struct if_stats_msg. Add a check to prevent userland from sending us short messages that would make us access memory beyond the end of the message. Fixes: 10c9ead9f3c6 ("rtnetlink: add new RTM_GETSTATS message to dump...") Signed-off-by: Mathias Krause Cc: Roopa Prabhu Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/core/rtnetlink.c | 6 ++++++ 1 file changed, 6 insertions(+) --- a/net/core/rtnetlink.c +++ b/net/core/rtnetlink.c @@ -3886,6 +3886,9 @@ static int rtnl_stats_get(struct sk_buff u32 filter_mask; int err; + if (nlmsg_len(nlh) < sizeof(*ifsm)) + return -EINVAL; + ifsm = nlmsg_data(nlh); if (ifsm->ifindex > 0) dev = __dev_get_by_index(net, ifsm->ifindex); @@ -3935,6 +3938,9 @@ static int rtnl_stats_dump(struct sk_buf cb->seq = net->dev_base_seq; + if (nlmsg_len(cb->nlh) < sizeof(*ifsm)) + return -EINVAL; + ifsm = nlmsg_data(cb->nlh); filter_mask = ifsm->filter_mask; if (!filter_mask)