Re: [PATCH net] net: netlink: prevent potential integer overflow in nlmsg_new()
From: Przemek Kitszel <przemyslaw.kitszel@intel.com>
Date: 2025-01-22 13:53:15
Also in:
kernel-janitors, lkml
From: Przemek Kitszel <przemyslaw.kitszel@intel.com>
Date: 2025-01-22 13:53:15
Also in:
kernel-janitors, lkml
On 1/22/25 14:49, Dan Carpenter wrote:
The "payload" variable is type size_t, however the nlmsg_total_size() function will a few bytes to it and then truncate the result to type int. That means that if "payload" is more than UINT_MAX the alloc_skb()
In the code it's INT_MAX, would be best to have the same used in both places (or explain it so it's obvious)
function might allocate a buffer which is smaller than intended. Cc: stable@vger.kernel.org Fixes: bfa83a9e03cf ("[NETLINK]: Type-safe netlink messages/attributes interface") Signed-off-by: Dan Carpenter <redacted> --- include/net/netlink.h | 2 ++ 1 file changed, 2 insertions(+)diff --git a/include/net/netlink.h b/include/net/netlink.h index e015ffbed819..ca7a8152e6d4 100644 --- a/include/net/netlink.h +++ b/include/net/netlink.h@@ -1015,6 +1015,8 @@ static inline struct nlmsghdr *nlmsg_put_answer(struct sk_buff *skb, */ static inline struct sk_buff *nlmsg_new(size_t payload, gfp_t flags) { + if (payload > INT_MAX) + return NULL; return alloc_skb(nlmsg_total_size(payload), flags); }