1 files changed, 18 insertions, 17 deletions
diff --git a/kernel/audit.c b/kernel/audit.c
index 01082a1d2bc5..ce77e81a0e71 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -937,28 +937,29 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
 }
 /*
- * Get message from skb (based on rtnetlink_rcv_skb).  Each message is
+ * Get message from skb.  Each message is processed by audit_receive_msg.
- * processed by audit_receive_msg.  Malformed skbs with wrong length are
+ * Malformed skbs with wrong length are discarded silently.
- * discarded silently.
 */
 static void audit_receive_skb(struct sk_buff *skb)
 {
-        int             err;
+        struct nlmsghdr *nlh;
-        struct nlmsghdr *nlh;
+        /*
-        u32             rlen;
+         * len MUST be signed for NLMSG_NEXT to be able to dec it below 0
+         * if the nlmsg_len was not aligned
+         */
+        int len;
+        int err;
-        while (skb->len >= NLMSG_SPACE(0)) {
+        nlh = nlmsg_hdr(skb);
-                nlh = nlmsg_hdr(skb);
+        len = skb->len;
-                if (nlh->nlmsg_len < sizeof(*nlh) || skb->len < nlh->nlmsg_len)
-                        return;
+        while (NLMSG_OK(nlh, len)) {
-                rlen = NLMSG_ALIGN(nlh->nlmsg_len);
+                err = audit_receive_msg(skb, nlh);
-                if (rlen > skb->len)
+                /* if err or if this message says it wants a response */
-                        rlen = skb->len;
+                if (err || (nlh->nlmsg_flags & NLM_F_ACK))
-                if ((err = audit_receive_msg(skb, nlh))) {
                        netlink_ack(skb, nlh, err);
-                } else if (nlh->nlmsg_flags & NLM_F_ACK)
-                        netlink_ack(skb, nlh, 0);
+                nlh = NLMSG_NEXT(nlh, len);
-                skb_pull(skb, rlen);
        }
 }

diff --git a/kernel/audit.c b/kernel/audit.c index 01082a1d2bc5..ce77e81a0e71 100644 --- a/kernel/audit.c +++ b/kernel/audit.c
@@ -937,28 +937,29 @@ static int audit_receive_msg(struct sk_buff skb, struct nlmsghdr nlh)
937	}	937	}
938		938
939	/*	939	/*
940	* Get message from skb (based on rtnetlink_rcv_skb). Each message is	940	* Get message from skb. Each message is processed by audit_receive_msg.
941	* processed by audit_receive_msg. Malformed skbs with wrong length are	941	* Malformed skbs with wrong length are discarded silently.
942	* discarded silently.
943	*/	942	*/
944	static void audit_receive_skb(struct sk_buff *skb)	943	static void audit_receive_skb(struct sk_buff *skb)
945	{	944	{
946	int err;	945	struct nlmsghdr *nlh;
947	struct nlmsghdr *nlh;	946	/*
948	u32 rlen;	947	* len MUST be signed for NLMSG_NEXT to be able to dec it below 0
		948	* if the nlmsg_len was not aligned
		949	*/
		950	int len;
		951	int err;
949		952
950	while (skb->len >= NLMSG_SPACE(0)) {	953	nlh = nlmsg_hdr(skb);
951	nlh = nlmsg_hdr(skb);	954	len = skb->len;
952	if (nlh->nlmsg_len < sizeof(*nlh) \|\| skb->len < nlh->nlmsg_len)	955
953	return;	956	while (NLMSG_OK(nlh, len)) {
954	rlen = NLMSG_ALIGN(nlh->nlmsg_len);	957	err = audit_receive_msg(skb, nlh);
955	if (rlen > skb->len)	958	/* if err or if this message says it wants a response */
956	rlen = skb->len;	959	if (err \|\| (nlh->nlmsg_flags & NLM_F_ACK))
957	if ((err = audit_receive_msg(skb, nlh))) {
958	netlink_ack(skb, nlh, err);	960	netlink_ack(skb, nlh, err);
959	} else if (nlh->nlmsg_flags & NLM_F_ACK)	961
960	netlink_ack(skb, nlh, 0);	962	nlh = NLMSG_NEXT(nlh, len);
961	skb_pull(skb, rlen);
962	}	963	}
963	}	964	}
964		965