]>
Commit | Line | Data |
---|---|---|
7b14a70e JR |
1 | Userland can send a netlink message requesting SOCK_DIAG_BY_FAMILY |
2 | with a family greater or equal then AF_MAX -- the array size of | |
3 | sock_diag_handlers[]. The current code does not test for this | |
4 | condition therefore is vulnerable to an out-of-bound access opening | |
5 | doors for a privilege escalation. | |
6 | ||
7 | Signed-off-by: Mathias Krause <minipli@googlemail.com> | |
8 | --- | |
9 | net/core/sock_diag.c | 3 +++ | |
10 | 1 file changed, 3 insertions(+) | |
11 | ||
12 | diff --git a/net/core/sock_diag.c b/net/core/sock_diag.c | |
13 | index 602cd63..750f44f 100644 | |
14 | --- a/net/core/sock_diag.c | |
15 | +++ b/net/core/sock_diag.c | |
16 | @@ -121,6 +121,9 @@ static int __sock_diag_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh) | |
17 | if (nlmsg_len(nlh) < sizeof(*req)) | |
18 | return -EINVAL; | |
19 | ||
20 | + if (req->sdiag_family >= AF_MAX) | |
21 | + return -EINVAL; | |
22 | + | |
23 | hndl = sock_diag_lock_handler(req->sdiag_family); | |
24 | if (hndl == NULL) | |
25 | err = -ENOENT; | |
26 | -- | |
27 | 1.7.10.4 | |
28 | ||
29 | -- | |
30 | To unsubscribe from this list: send the line "unsubscribe netdev" in | |
31 | the body of a message to majordomo@vger.kernel.org | |
32 | More majordomo info at http://vger.kernel.org/majordomo-info.html |