netfilter: nfnetlink: validate nfnetlink header from batch

commit 9ea2aa8b7dba9e99544c4187cc298face254569f upstream. Make sure there is enough room for the nfnetlink header in the netlink messages that are part of the batch. There is a similar check in netlink_rcv_skb(). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Pablo Neira Ayuso <pablo@netfilter.org> 2015-01-04 15:20:29 +0100
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2015-01-29 17:40:50 -0800
commit: 15d25f97e23d65b62c4c99ea4769940fced9250d (patch)
tree: da16a6fccae9c3909263d09a6fd76e47b6269680 /net
parent: cf69173f59163182c12e0ecbda52721397468763 (diff)
download: lwn-15d25f97e23d65b62c4c99ea4769940fced9250d.tar.gz
lwn-15d25f97e23d65b62c4c99ea4769940fced9250d.zip
1 files changed, 2 insertions, 1 deletions
diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c
index bf8a108b46e2..6cf2f077e09c 100644
--- a/net/netfilter/nfnetlink.c
+++ b/net/netfilter/nfnetlink.c
@@ -265,7 +265,8 @@ replay:
 		nlh = nlmsg_hdr(skb);
 		err = 0;
 
-		if (nlh->nlmsg_len < NLMSG_HDRLEN) {
+		if (nlmsg_len(nlh) < sizeof(struct nfgenmsg) ||
+		    skb->len < nlh->nlmsg_len) {
 			err = -EINVAL;
 			goto ack;
 		}
author	Pablo Neira Ayuso <pablo@netfilter.org>	2015-01-04 15:20:29 +0100
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2015-01-29 17:40:50 -0800
commit	15d25f97e23d65b62c4c99ea4769940fced9250d (patch)
tree	da16a6fccae9c3909263d09a6fd76e47b6269680 /net
parent	cf69173f59163182c12e0ecbda52721397468763 (diff)
download	lwn-15d25f97e23d65b62c4c99ea4769940fced9250d.tar.gz lwn-15d25f97e23d65b62c4c99ea4769940fced9250d.zip