From mboxrd@z Thu Jan 1 00:00:00 1970 From: David Ahern Subject: Re: [PATCH net-next 15/20] net/neighbor: Update neightbl_dump_info for strict data checking Date: Sun, 7 Oct 2018 19:34:53 -0600 Message-ID: <8975bc0f-155a-849d-efd4-a988754de936@gmail.com> References: <20181004213355.14899-1-dsahern@kernel.org> <20181004213355.14899-16-dsahern@kernel.org> <20181007104846.cjy4zsmz5lsosq3o@brauner.io> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Cc: netdev@vger.kernel.org, davem@davemloft.net, jbenc@redhat.com, stephen@networkplumber.org To: Christian Brauner , David Ahern Return-path: Received: from mail-pf1-f193.google.com ([209.85.210.193]:43645 "EHLO mail-pf1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725760AbeJHIoJ (ORCPT ); Mon, 8 Oct 2018 04:44:09 -0400 Received: by mail-pf1-f193.google.com with SMTP id p24-v6so7556891pff.10 for ; Sun, 07 Oct 2018 18:34:56 -0700 (PDT) In-Reply-To: <20181007104846.cjy4zsmz5lsosq3o@brauner.io> Content-Language: en-US Sender: netdev-owner@vger.kernel.org List-ID: On 10/7/18 4:48 AM, Christian Brauner wrote: >> + >> static int neightbl_dump_info(struct sk_buff *skb, struct netlink_callback *cb) >> { >> + const struct nlmsghdr *nlh = cb->nlh; >> struct net *net = sock_net(skb->sk); >> int family, tidx, nidx = 0; >> int tbl_skip = cb->args[0]; >> int neigh_skip = cb->args[1]; >> struct neigh_table *tbl; >> >> - family = ((struct rtgenmsg *) nlmsg_data(cb->nlh))->rtgen_family; >> + if (cb->strict_check) { >> + int err = neightbl_valid_dump_info(nlh, cb->extack); >> + >> + if (err) >> + return err; >> + } >> + >> + family = ((struct rtgenmsg *)nlmsg_data(nlh))->rtgen_family; > > So this already was a problem prior to your patch: what happens when you > pass in the wrong struct? Then this case is not safe to do and might > contain all kinds of crap. 'This case' meaning the above dereference? family is *always* the first element in all of the header structs. It is core to the rtnetlink processing.