netfilter: nfnetlink: validate nfnetlink header from batch

ummakynes · ummakynes · commit 9ea2aa8b7dba · 2015-01-06T22:27:46.000+01:00
Make sure there is enough room for the nfnetlink header in the
netlink messages that are part of the batch. There is a similar
check in netlink_rcv_skb().

Signed-off-by: Pablo Neira Ayuso &lt;pablo@netfilter.org&gt;
diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c
@@ -321,7 +321,8 @@ static void nfnetlink_rcv_batch(struct sk_buff *skb, struct nlmsghdr *nlh,
 		nlh = nlmsg_hdr(skb);
 		err = 0;
 
-		if (nlh->nlmsg_len < NLMSG_HDRLEN) {
+		if (nlmsg_len(nlh) < sizeof(struct nfgenmsg) ||
+		    skb->len < nlh->nlmsg_len) {
 			err = -EINVAL;
 			goto ack;
 		}

Original file line number	Diff line number	Diff line change
`@@ -321,7 +321,8 @@ static void nfnetlink_rcv_batch(struct sk_buff skb, struct nlmsghdr nlh,`
`321`	`321`	`nlh = nlmsg_hdr(skb);`
`322`	`322`	`err = 0;`
`323`	`323`
`324`		`- if (nlh->nlmsg_len < NLMSG_HDRLEN) {`
	`324`	`+ if (nlmsg_len(nlh) < sizeof(struct nfgenmsg) \|\|`
	`325`	`+ skb->len < nlh->nlmsg_len) {`
`325`	`326`	`err = -EINVAL;`
`326`	`327`	`goto ack;`
`327`	`328`	`}`