netdev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[PATCH] ip_queue malformed netlink message oops fix

from [James Morris] [Permanent Link][Original]
To: <netdev@xxxxxxxxxxx>
Subject: [PATCH] ip_queue malformed netlink message oops fix
From: James Morris <jmorris@xxxxxxxxxxxxxxxx>
Date: Fri, 29 Jun 2001 10:28:21 +1000 (EST)
Sender: owner-netdev@xxxxxxxxxxx 
This patch is a resend.

Description:
Fixes oops caused by short/malformed length Netlink messages.


- James
-- 
James Morris
<jmorris@xxxxxxxxxxxxxxxx>

diff -urN linux-2.4.5.orig/net/ipv4/netfilter/ip_queue.c 
linux/net/ipv4/netfilter/ip_queue.c
--- linux-2.4.5.orig/net/ipv4/netfilter/ip_queue.c      Tue Dec 12 07:37:04 2000
+++ linux/net/ipv4/netfilter/ip_queue.c Fri Jun  1 22:25:17 2001
@@ -431,10 +431,15 @@
        int status, type;
        struct nlmsghdr *nlh;

+       if (skb->len < sizeof(struct nlmsghdr))
+               return;
+
        nlh = (struct nlmsghdr *)skb->data;
-       if (nlh->nlmsg_len < sizeof(*nlh)
-           || skb->len < nlh->nlmsg_len
-           || nlh->nlmsg_pid <= 0
+       if (nlh->nlmsg_len < sizeof(struct nlmsghdr)
+           || skb->len < nlh->nlmsg_len)
+               return;
+
+       if(nlh->nlmsg_pid <= 0
            || !(nlh->nlmsg_flags & NLM_F_REQUEST)
            || nlh->nlmsg_flags & NLM_F_MULTI)
                RCV_SKB_FAIL(-EINVAL);
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • [PATCH] ip_queue malformed netlink message oops fix, James Morris <=
Previous by Date:  [PATCH] ip_queue postrouting oops fix, James Morris
Next by Date:  [PATCH] ip_queue restore MAC copying, James Morris
Previous by Thread:  [PATCH] ip_queue postrouting oops fix, James Morris
Next by Thread:  [PATCH] ip_queue restore MAC copying, James Morris
Indexes:  [Date] [Thread] [Top] [All Lists]