| To: | Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> |
|---|---|
| Subject: | Re: old NLMSG_OK fix |
| From: | "David S. Miller" <davem@xxxxxxxxxx> |
| Date: | Mon, 28 Jun 2004 11:22:58 -0700 |
| Cc: | hch@xxxxxx, netdev@xxxxxxxxxxx |
| In-reply-to: | <E1Besfp-0004hd-00@xxxxxxxxxxxxxxxxxxxxxxxx> |
| References: | <20040627205133.11d37f0c.davem@xxxxxxxxxx> <E1Besfp-0004hd-00@xxxxxxxxxxxxxxxxxxxxxxxx> |
| Sender: | netdev-bounce@xxxxxxxxxxx |
On Mon, 28 Jun 2004 19:43:37 +1000 Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> wrote: > David S. Miller <davem@xxxxxxxxxx> wrote: > > On Sun, 27 Jun 2004 19:15:52 +0200 > > Christoph Hellwig <hch@xxxxxx> wrote: > > > >> http://oss.sgi.com/projects/netdev/archive/2000-09/msg00001.html > > > > It works because there is always 16 bytes of scratch at the end of an > > SKB more than was allocated for the actual data. So blindly deref'ing > > the nlmsg_len value is fine here. > > Yes but this is also used by user-space appliations where this scratch > space may not exist. NETLINK messages can travel from one application > to another so exploits are possible. You're right, thanks for pointing this out. I'll add it to my tree. |
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| ||
| Previous by Date: | Re: 2.6.6: IPv6 initialisation bug, Russell King |
|---|---|
| Next by Date: | Re: kiocb->private is too large for kiocb's on-stack, David S. Miller |
| Previous by Thread: | Re: old NLMSG_OK fix, Herbert Xu |
| Next by Thread: | Fwd: 2.6.6: IPv6 initialisation bug, Russell King |
| Indexes: | [Date] [Thread] [Top] [All Lists] |