[PATCH] ip_queue - netlink message handling oops fix

[James Morris <jmorris@xxxxxxxxxxxxxxxx>]

The patch below fixes a problem with the ip_queue module, where
certain malformed-length netlink messages from userspace could cause a
kernel oops during error reporting via netlink error messages.

Any netlink messages arriving at the module are now silently dropped if
they fail length validation.

Thanks to Wilmer van der Gaast for discovering and reporting the problem.


- James
-- 
James Morris
<jmorris@xxxxxxxxxxxxxxxx>

diff -urN linux-2.4.5.orig/net/ipv4/netfilter/ip_queue.c 
linux/net/ipv4/netfilter/ip_queue.c
--- linux-2.4.5.orig/net/ipv4/netfilter/ip_queue.c      Tue Dec 12 07:37:04 2000
+++ linux/net/ipv4/netfilter/ip_queue.c Fri Jun  1 22:25:17 2001
@@ -431,10 +431,15 @@
        int status, type;
        struct nlmsghdr *nlh;

+       if (skb->len < sizeof(struct nlmsghdr))
+               return;
+
        nlh = (struct nlmsghdr *)skb->data;
-       if (nlh->nlmsg_len < sizeof(*nlh)
-           || skb->len < nlh->nlmsg_len
-           || nlh->nlmsg_pid <= 0
+       if (nlh->nlmsg_len < sizeof(struct nlmsghdr)
+           || skb->len < nlh->nlmsg_len)
+               return;
+
+       if(nlh->nlmsg_pid <= 0
            || !(nlh->nlmsg_flags & NLM_F_REQUEST)
            || nlh->nlmsg_flags & NLM_F_MULTI)
                RCV_SKB_FAIL(-EINVAL);