netfilter: nfnetlink: validate nfnetlink header from batch

Make sure there is enough room for the nfnetlink header in the netlink messages that are part of the batch. There is a similar check in netlink_rcv_skb(). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Pablo Neira Ayuso <pablo@netfilter.org> 2015-01-04 09:20:29 -0500
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2015-01-06 16:27:46 -0500
commit: 9ea2aa8b7dba9e99544c4187cc298face254569f (patch)
tree: 2d6056766f02f0f1682b52bc4f68fb4d8d1b8b29 /net
parent: 8ca3f5e974f2b4b7f711589f4abff920db36637a (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c
index 13c2e17bbe27..c6619d4bcc32 100644
--- a/net/netfilter/nfnetlink.c
+++ b/net/netfilter/nfnetlink.c
@@ -321,7 +321,8 @@ replay:
                nlh = nlmsg_hdr(skb);
                err = 0;
-                if (nlh->nlmsg_len < NLMSG_HDRLEN) {
+                if (nlmsg_len(nlh) < sizeof(struct nfgenmsg) ||
+                    skb->len < nlh->nlmsg_len) {
                        err = -EINVAL;
                        goto ack;
                }
author	Pablo Neira Ayuso <pablo@netfilter.org>	2015-01-04 09:20:29 -0500
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2015-01-06 16:27:46 -0500
commit	9ea2aa8b7dba9e99544c4187cc298face254569f (patch)
tree	2d6056766f02f0f1682b52bc4f68fb4d8d1b8b29 /net
parent	8ca3f5e974f2b4b7f711589f4abff920db36637a (diff)

diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c index 13c2e17bbe27..c6619d4bcc32 100644 --- a/net/netfilter/nfnetlink.c +++ b/net/netfilter/nfnetlink.c
@@ -321,7 +321,8 @@ replay:
321	nlh = nlmsg_hdr(skb);	321	nlh = nlmsg_hdr(skb);
322	err = 0;	322	err = 0;
323		323
324	if (nlh->nlmsg_len < NLMSG_HDRLEN) {	324	if (nlmsg_len(nlh) < sizeof(struct nfgenmsg) \|\|
		325	skb->len < nlh->nlmsg_len) {
325	err = -EINVAL;	326	err = -EINVAL;
326	goto ack;	327	goto ack;
327	}	328	}