Holger Eitzenberger <[EMAIL PROTECTED]> writes:
> while going through going netlink code I found out that netlink_bind()
> does not properly check bind parameters. I checked both 2.6.23-rc1 as
> well as 2.6.16.53, both are affected.
>
> With a small test prog I wasn't able to crash my maschine though, but
> data was accessed out of bounds.
See my attached patch, thanks.
/holger
[NETLINK] Check for correct bind parameters
Before this change it was possible to pass less than sockaddr_nl
bytes, which might lead to arbitrary data being accessed in
netlink_bind().
Signed-off-by: Holger Eitzenberger <[EMAIL PROTECTED]>
---
commit 53ba94ab22cc3338d915d684ba1012fa0419ff14
tree 3a1b1dc6cb5dacac99722b9f96fe3ba4b2d29bde
parent f695baf2df9e0413d3521661070103711545207a
author Holger Eitzenberger <[EMAIL PROTECTED]> Mon, 17 Sep 2007 22:15:37 +0200
committer Holger Eitzenberger <[EMAIL PROTECTED](none)> Mon, 17 Sep 2007
22:15:37 +0200
net/netlink/af_netlink.c | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index 5681ce3..425543d 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -598,6 +598,9 @@ static int netlink_bind(struct socket *sock, struct
sockaddr *addr, int addr_len
struct sockaddr_nl *nladdr = (struct sockaddr_nl *)addr;
int err;
+ if (addr < sizeof(struct sockaddr_nl))
+ return -EINVAL;
+
if (nladdr->nl_family != AF_NETLINK)
return -EINVAL;
