projects / packages / kernel.git / blame
| Commit | Line | Data |
|---|---|---|
| 7b14a70e JR |
1 | Userland can send a netlink message requesting SOCK_DIAG_BY_FAMILY |
| 2 | with a family greater or equal then AF_MAX -- the array size of | |
| 3 | sock_diag_handlers[]. The current code does not test for this | |
| 4 | condition therefore is vulnerable to an out-of-bound access opening | |
| 5 | doors for a privilege escalation. | |
| 6 | ||
| 7 | Signed-off-by: Mathias Krause <minipli@googlemail.com> | |
| 8 | --- | |
| 9 | net/core/sock_diag.c | 3 +++ | |
| 10 | 1 file changed, 3 insertions(+) | |
| 11 | ||
| 12 | diff --git a/net/core/sock_diag.c b/net/core/sock_diag.c | |
| 13 | index 602cd63..750f44f 100644 | |
| 14 | --- a/net/core/sock_diag.c | |
| 15 | +++ b/net/core/sock_diag.c | |
| 16 | @@ -121,6 +121,9 @@ static int __sock_diag_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh) | |
| 17 | if (nlmsg_len(nlh) < sizeof(*req)) | |
| 18 | return -EINVAL; | |
| 19 | ||
| 20 | + if (req->sdiag_family >= AF_MAX) | |
| 21 | + return -EINVAL; | |
| 22 | + | |
| 23 | hndl = sock_diag_lock_handler(req->sdiag_family); | |
| 24 | if (hndl == NULL) | |
| 25 | err = -ENOENT; | |
| 26 | -- | |
| 27 | 1.7.10.4 | |
| 28 | ||
| 29 | -- | |
| 30 | To unsubscribe from this list: send the line "unsubscribe netdev" in | |
| 31 | the body of a message to majordomo@vger.kernel.org | |
| 32 | More majordomo info at http://vger.kernel.org/majordomo-info.html |