From cdbe7c2d6d485459801838c244c409b938e32df5 Mon Sep 17 00:00:00 2001 From: Jiri Benc Date: Thu, 7 Nov 2013 19:59:19 +0100 Subject: nfnetlink: do not ack malformed messages Commit 0628b123c96d ("netfilter: nfnetlink: add batch support and use it from nf_tables") introduced a bug leading to various crashes in netlink_ack when netlink message with invalid nlmsg_len was sent by an unprivileged user. Signed-off-by: Jiri Benc Signed-off-by: David S. Miller --- net/netfilter/nfnetlink.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c index 027f16a..046aa13 100644 --- a/net/netfilter/nfnetlink.c +++ b/net/netfilter/nfnetlink.c @@ -363,13 +363,15 @@ static void nfnetlink_rcv(struct sk_buff *skb) struct net *net = sock_net(skb->sk); int msglen; - if (!ns_capable(net->user_ns, CAP_NET_ADMIN)) - return netlink_ack(skb, nlh, -EPERM); - if (nlh->nlmsg_len < NLMSG_HDRLEN || skb->len < nlh->nlmsg_len) return; + if (!ns_capable(net->user_ns, CAP_NET_ADMIN)) { + netlink_ack(skb, nlh, -EPERM); + return; + } + if (nlh->nlmsg_type == NFNL_MSG_BATCH_BEGIN) { struct nfgenmsg *nfgenmsg; -- cgit v1.1