Re: [PATCH 0/5 net] bridge: Fix missing Netlink message validations

[PATCH 0/5 net] bridge: Fix missing Netlink message validations · Thomas Graf <tgraf@suug.ch> · 2014-11-26
[PATCH 1/5] bridge: Validate IFLA_BRIDGE_FLAGS attribute length · Thomas Graf <tgraf@suug.ch> · 2014-11-26
[PATCH 2/5] net: Validate IFLA_BRIDGE_MODE attribute length · Thomas Graf <tgraf@suug.ch> · 2014-11-26
Re: [PATCH 2/5] net: Validate IFLA_BRIDGE_MODE attribute length · Jeff Kirsher <hidden> · 2014-11-26
Re: [PATCH 2/5] net: Validate IFLA_BRIDGE_MODE attribute length · John Fastabend <john.fastabend@gmail.com> · 2014-11-26
[PATCH 3/5] net: Check for presence of IFLA_AF_SPEC · Thomas Graf <tgraf@suug.ch> · 2014-11-26
Re: [PATCH 3/5] net: Check for presence of IFLA_AF_SPEC · Jeff Kirsher <hidden> · 2014-11-26
[PATCH 4/5] bridge: Add missing policy entry for IFLA_BRPORT_FAST_LEAVE · Thomas Graf <tgraf@suug.ch> · 2014-11-26
[PATCH 5/5] bridge: Sanitize IFLA_EXT_MASK for AF_BRIDGE:RTM_GETLINK · Thomas Graf <tgraf@suug.ch> · 2014-11-26
Re: [PATCH 0/5 net] bridge: Fix missing Netlink message validations · John Fastabend <john.fastabend@gmail.com> · 2014-11-26
Re: [PATCH 0/5 net] bridge: Fix missing Netlink message validations · Thomas Graf <tgraf@suug.ch> · 2014-11-26
Re: [PATCH 0/5 net] bridge: Fix missing Netlink message validations · John Fastabend <john.fastabend@gmail.com> · 2014-11-26
Re: [PATCH 0/5 net] bridge: Fix missing Netlink message validations · Thomas Graf <tgraf@suug.ch> · 2014-11-26
Re: [PATCH 0/5 net] bridge: Fix missing Netlink message validations · John Fastabend <john.fastabend@gmail.com> · 2014-11-29
Re: [PATCH 0/5 net] bridge: Fix missing Netlink message validations · David Miller <davem@davemloft.net> · 2014-11-26

From: John Fastabend <john.fastabend@gmail.com>
Date: 2014-11-26 16:58:40

On 11/26/2014 04:42 AM, Thomas Graf wrote:

Adds various missing length checks in the bridging code for Netlink
messages and corresponding attributes provided by user space.

Thomas Graf (5):
   bridge: Validate IFLA_BRIDGE_FLAGS attribute length
   net: Validate IFLA_BRIDGE_MODE attribute length
   net: Check for presence of IFLA_AF_SPEC
   bridge: Add missing policy entry for IFLA_BRPORT_FAST_LEAVE
   bridge: Sanitize IFLA_EXT_MASK for AF_BRIDGE:RTM_GETLINK

  drivers/net/ethernet/emulex/benet/be_main.c   |  5 +++++
  drivers/net/ethernet/intel/ixgbe/ixgbe_main.c |  5 +++++
  net/bridge/br_netlink.c                       |  1 +
  net/core/rtnetlink.c                          | 23 ++++++++++++++++++-----
  4 files changed, 29 insertions(+), 5 deletions(-)

+Jiri

Looks like a miss in bond_netlink also? Seems like writing
a smatch or cocci check for this would be worthwhile.

quoted hunk ↗ jump to hunk

diff --git a/drivers/net/bonding/bond_netlink.c b/drivers/net/bonding/bond_netlink.c
index 3e6eebd..7b11243 100644
--- a/drivers/net/bonding/bond_netlink.c
+++ b/drivers/net/bonding/bond_netlink.c

@@ -225,7 +225,12 @@ static int bond_changelink(struct net_device *bond_dev,

                bond_option_arp_ip_targets_clear(bond);
                nla_for_each_nested(attr, data[IFLA_BOND_ARP_IP_TARGET], rem) {
-                       __be32 target = nla_get_be32(attr);
+                       __be32 target;
+
+                       if (nla_len(attr) < sizeof(target))
+                               return -EINVAL;
+
+                       target = nla_get_be32(attr);

                        bond_opt_initval(&newval, (__force u64)target);
                        err = __bond_opt_set(bond, BOND_OPT_ARP_TARGETS,

-- 
John Fastabend         Intel Corporation

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help