On 10/7/18 4:48 AM, Christian Brauner wrote:
>> +
>> static int neightbl_dump_info(struct sk_buff *skb, struct netlink_callback
>> *cb)
>> {
>> + const struct nlmsghdr *nlh = cb->nlh;
>> struct net *net = sock_net(skb->sk);
>> int family, tidx, nidx = 0;
>> int tbl_skip = cb->args[0];
>> int neigh_skip = cb->args[1];
>> struct neigh_table *tbl;
>>
>> - family = ((struct rtgenmsg *) nlmsg_data(cb->nlh))->rtgen_family;
>> + if (cb->strict_check) {
>> + int err = neightbl_valid_dump_info(nlh, cb->extack);
>> +
>> + if (err)
>> + return err;
>> + }
>> +
>> + family = ((struct rtgenmsg *)nlmsg_data(nlh))->rtgen_family;
>
> So this already was a problem prior to your patch: what happens when you
> pass in the wrong struct? Then this case is not safe to do and might
> contain all kinds of crap.
'This case' meaning the above dereference? family is *always* the first
element in all of the header structs. It is core to the rtnetlink
processing.
