aboutsummaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
Diffstat (limited to 'net')
-rw-r--r--net/netlink/attr.c49
1 files changed, 39 insertions, 10 deletions
diff --git a/net/netlink/attr.c b/net/netlink/attr.c
index 136e529e5780..004139557e09 100644
--- a/net/netlink/attr.c
+++ b/net/netlink/attr.c
@@ -20,7 +20,6 @@ static u16 nla_attr_minlen[NLA_TYPE_MAX+1] __read_mostly = {
20 [NLA_U16] = sizeof(u16), 20 [NLA_U16] = sizeof(u16),
21 [NLA_U32] = sizeof(u32), 21 [NLA_U32] = sizeof(u32),
22 [NLA_U64] = sizeof(u64), 22 [NLA_U64] = sizeof(u64),
23 [NLA_STRING] = 1,
24 [NLA_NESTED] = NLA_HDRLEN, 23 [NLA_NESTED] = NLA_HDRLEN,
25}; 24};
26 25
@@ -28,7 +27,7 @@ static int validate_nla(struct nlattr *nla, int maxtype,
28 struct nla_policy *policy) 27 struct nla_policy *policy)
29{ 28{
30 struct nla_policy *pt; 29 struct nla_policy *pt;
31 int minlen = 0; 30 int minlen = 0, attrlen = nla_len(nla);
32 31
33 if (nla->nla_type <= 0 || nla->nla_type > maxtype) 32 if (nla->nla_type <= 0 || nla->nla_type > maxtype)
34 return 0; 33 return 0;
@@ -37,16 +36,46 @@ static int validate_nla(struct nlattr *nla, int maxtype,
37 36
38 BUG_ON(pt->type > NLA_TYPE_MAX); 37 BUG_ON(pt->type > NLA_TYPE_MAX);
39 38
40 if (pt->minlen) 39 switch (pt->type) {
41 minlen = pt->minlen; 40 case NLA_FLAG:
42 else if (pt->type != NLA_UNSPEC) 41 if (attrlen > 0)
43 minlen = nla_attr_minlen[pt->type]; 42 return -ERANGE;
43 break;
44 44
45 if (pt->type == NLA_FLAG && nla_len(nla) > 0) 45 case NLA_NUL_STRING:
46 return -ERANGE; 46 if (pt->len)
47 minlen = min_t(int, attrlen, pt->len + 1);
48 else
49 minlen = attrlen;
47 50
48 if (nla_len(nla) < minlen) 51 if (!minlen || memchr(nla_data(nla), '\0', minlen) == NULL)
49 return -ERANGE; 52 return -EINVAL;
53 /* fall through */
54
55 case NLA_STRING:
56 if (attrlen < 1)
57 return -ERANGE;
58
59 if (pt->len) {
60 char *buf = nla_data(nla);
61
62 if (buf[attrlen - 1] == '\0')
63 attrlen--;
64
65 if (attrlen > pt->len)
66 return -ERANGE;
67 }
68 break;
69
70 default:
71 if (pt->len)
72 minlen = pt->len;
73 else if (pt->type != NLA_UNSPEC)
74 minlen = nla_attr_minlen[pt->type];
75
76 if (attrlen < minlen)
77 return -ERANGE;
78 }
50 79
51 return 0; 80 return 0;
52} 81}