David S. Miller [off-list ref] wrote:

On Sun, 27 Jun 2004 19:15:52 +0200
Christoph Hellwig [off-list ref] wrote:

quoted

http://oss.sgi.com/projects/netdev/archive/2000-09/msg00001.html

It works because there is always 16 bytes of scratch at the end of an
SKB more than was allocated for the actual data.  So blindly deref'ing
the nlmsg_len value is fine here.

Yes but this is also used by user-space appliations where this scratch
space may not exist.  NETLINK messages can travel from one application
to another so exploits are possible.

Cheers,
-- 
Visit Openswan at http://www.openswan.org/
Email:  Herbert Xu ~{PmV>HI~} [off-list ref]
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt