diff options
author | Vegard Nossum <vegard.nossum@gmail.com> | 2008-12-25 17:21:17 -0800 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2008-12-25 17:21:17 -0800 |
commit | 619e803d3c1b7bcc17c45e81f309d0b9b3df2d5d (patch) | |
tree | c2c279dd155e07e96c7a2f483cce6c48c1640cd6 /crypto/khazad.c | |
parent | 64ff3b938ec6782e6585a83d5459b98b0c3f6eb8 (diff) | |
download | op-kernel-dev-619e803d3c1b7bcc17c45e81f309d0b9b3df2d5d.zip op-kernel-dev-619e803d3c1b7bcc17c45e81f309d0b9b3df2d5d.tar.gz |
netlink: fix (theoretical) overrun in message iteration
See commit 1045b03e07d85f3545118510a587035536030c1c ("netlink: fix
overrun in attribute iteration") for a detailed explanation of why
this patch is necessary.
In short, nlmsg_next() can make "remaining" go negative, and the
remaining >= sizeof(...) comparison will promote "remaining" to an
unsigned type, which means that the expression will evaluate to
true for negative numbers, even though it was not intended.
I put "theoretical" in the title because I have no evidence that
this can actually happen, but I suspect that a crafted netlink
packet can trigger some badness.
Note that the last test, which seemingly has the exact same
problem (also true for nla_ok()), is perfectly OK, since we
already know that remaining is positive.
Signed-off-by: Vegard Nossum <vegard.nossum@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'crypto/khazad.c')
0 files changed, 0 insertions, 0 deletions