[PATCH 5/5] bridge: Sanitize IFLA_EXT_MASK for AF_BRIDGE:RTM_GETLINK

[PATCH 0/5 net] bridge: Fix missing Netlink message validations · Thomas Graf <tgraf@suug.ch> · 2014-11-26
[PATCH 1/5] bridge: Validate IFLA_BRIDGE_FLAGS attribute length · Thomas Graf <tgraf@suug.ch> · 2014-11-26
[PATCH 2/5] net: Validate IFLA_BRIDGE_MODE attribute length · Thomas Graf <tgraf@suug.ch> · 2014-11-26
Re: [PATCH 2/5] net: Validate IFLA_BRIDGE_MODE attribute length · Jeff Kirsher <hidden> · 2014-11-26
Re: [PATCH 2/5] net: Validate IFLA_BRIDGE_MODE attribute length · John Fastabend <john.fastabend@gmail.com> · 2014-11-26
[PATCH 3/5] net: Check for presence of IFLA_AF_SPEC · Thomas Graf <tgraf@suug.ch> · 2014-11-26
Re: [PATCH 3/5] net: Check for presence of IFLA_AF_SPEC · Jeff Kirsher <hidden> · 2014-11-26
[PATCH 4/5] bridge: Add missing policy entry for IFLA_BRPORT_FAST_LEAVE · Thomas Graf <tgraf@suug.ch> · 2014-11-26
[PATCH 5/5] bridge: Sanitize IFLA_EXT_MASK for AF_BRIDGE:RTM_GETLINK · Thomas Graf <tgraf@suug.ch> · 2014-11-26
Re: [PATCH 0/5 net] bridge: Fix missing Netlink message validations · John Fastabend <john.fastabend@gmail.com> · 2014-11-26
Re: [PATCH 0/5 net] bridge: Fix missing Netlink message validations · Thomas Graf <tgraf@suug.ch> · 2014-11-26
Re: [PATCH 0/5 net] bridge: Fix missing Netlink message validations · John Fastabend <john.fastabend@gmail.com> · 2014-11-26
Re: [PATCH 0/5 net] bridge: Fix missing Netlink message validations · Thomas Graf <tgraf@suug.ch> · 2014-11-26
Re: [PATCH 0/5 net] bridge: Fix missing Netlink message validations · John Fastabend <john.fastabend@gmail.com> · 2014-11-29
Re: [PATCH 0/5 net] bridge: Fix missing Netlink message validations · David Miller <davem@davemloft.net> · 2014-11-26

STALE4203d

From: Thomas Graf <tgraf@suug.ch>
Date: 2014-11-26 12:42:34
Subsystem: networking [general], the rest · Maintainers: "David S. Miller", Eric Dumazet, Jakub Kicinski, Paolo Abeni, Linus Torvalds

Only search for IFLA_EXT_MASK if the message actually carries a
ifinfomsg header and validate minimal length requirements for
IFLA_EXT_MASK.

Fixes: 6cbdceeb ("bridge: Dump vlan information from a bridge port")
Cc: Vlad Yasevich <redacted>
Signed-off-by: Thomas Graf <tgraf@suug.ch>
---
 net/core/rtnetlink.c | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 5a853f8..b9b7dfa 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c

@@ -2685,13 +2685,20 @@ static int rtnl_bridge_getlink(struct sk_buff *skb, struct netlink_callback *cb)
 	int idx = 0;
 	u32 portid = NETLINK_CB(cb->skb).portid;
 	u32 seq = cb->nlh->nlmsg_seq;
-	struct nlattr *extfilt;
 	u32 filter_mask = 0;
 
-	extfilt = nlmsg_find_attr(cb->nlh, sizeof(struct ifinfomsg),
-				  IFLA_EXT_MASK);
-	if (extfilt)
-		filter_mask = nla_get_u32(extfilt);
+	if (nlmsg_len(cb->nlh) > sizeof(struct ifinfomsg)) {
+		struct nlattr *extfilt;
+
+		extfilt = nlmsg_find_attr(cb->nlh, sizeof(struct ifinfomsg),
+					  IFLA_EXT_MASK);
+		if (extfilt) {
+			if (nla_len(extfilt) < sizeof(filter_mask))
+				return -EINVAL;
+
+			filter_mask = nla_get_u32(extfilt);
+		}
+	}
 
 	rcu_read_lock();
 	for_each_netdev_rcu(net, dev) {

-- 
1.9.3

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help