linux/include/net
Vegard Nossum 1045b03e07 netlink: fix overrun in attribute iteration
kmemcheck reported this:

  kmemcheck: Caught 16-bit read from uninitialized memory (f6c1ba30)
  0500110001508abf050010000500000002017300140000006f72672e66726565
   i i i i i i i i i i i i i u u u u u u u u u u u u u u u u u u u
                                   ^

  Pid: 3462, comm: wpa_supplicant Not tainted (2.6.27-rc3-00054-g6397ab9-dirty #13)
  EIP: 0060:[<c05de64a>] EFLAGS: 00010296 CPU: 0
  EIP is at nla_parse+0x5a/0xf0
  EAX: 00000008 EBX: fffffffd ECX: c06f16c0 EDX: 00000005
  ESI: 00000010 EDI: f6c1ba30 EBP: f6367c6c ESP: c0a11e88
   DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
  CR0: 8005003b CR2: f781cc84 CR3: 3632f000 CR4: 000006d0
  DR0: c0ead9bc DR1: 00000000 DR2: 00000000 DR3: 00000000
  DR6: ffff4ff0 DR7: 00000400
   [<c05d4b23>] rtnl_setlink+0x63/0x130
   [<c05d5f75>] rtnetlink_rcv_msg+0x165/0x200
   [<c05ddf66>] netlink_rcv_skb+0x76/0xa0
   [<c05d5dfe>] rtnetlink_rcv+0x1e/0x30
   [<c05dda21>] netlink_unicast+0x281/0x290
   [<c05ddbe9>] netlink_sendmsg+0x1b9/0x2b0
   [<c05beef2>] sock_sendmsg+0xd2/0x100
   [<c05bf945>] sys_sendto+0xa5/0xd0
   [<c05bf9a6>] sys_send+0x36/0x40
   [<c05c03d6>] sys_socketcall+0x1e6/0x2c0
   [<c020353b>] sysenter_do_call+0x12/0x3f
   [<ffffffff>] 0xffffffff

This is the line in nla_ok():

  /**
   * nla_ok - check if the netlink attribute fits into the remaining bytes
   * @nla: netlink attribute
   * @remaining: number of bytes remaining in attribute stream
   */
  static inline int nla_ok(const struct nlattr *nla, int remaining)
  {
          return remaining >= sizeof(*nla) &&
                 nla->nla_len >= sizeof(*nla) &&
                 nla->nla_len <= remaining;
  }

It turns out that remaining can become negative due to alignment in
nla_next(). But GCC promotes "remaining" to unsigned in the test
against sizeof(*nla) above. Therefore the test succeeds, and the
nla_for_each_attr() may access memory outside the received buffer.

A short example illustrating this point is here:

  #include <stdio.h>

  main(void)
  {
          printf("%d\n", -1 >= sizeof(int));
  }

...which prints "1".

This patch adds a cast in front of the sizeof so that GCC will make
a signed comparison and fix the illegal memory dereference. With the
patch applied, there is no kmemcheck report.

Signed-off-by: Vegard Nossum <vegard.nossum@gmail.com>
Acked-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
2008-09-11 19:05:29 -07:00
..
9p 9p: fix error path during early mount 2008-05-14 19:23:27 -05:00
bluetooth [Bluetooth] Reject L2CAP connections on an insecure ACL link 2008-09-09 07:19:20 +02:00
irda pkt_sched: Add qdisc_all_tx_empty() 2008-07-08 23:00:25 -07:00
iucv [AF_IUCV]: postpone receival of iucv-packets 2007-10-10 16:54:51 -07:00
netfilter netfilter: accounting rework: ct_extend + 64bit counters (v4) 2008-07-21 10:10:58 -07:00
netns netns: dont alloc ipv6 fib timer list 2008-07-22 14:33:45 -07:00
sctp sctp: Drop ipfargok in sctp_xmit function 2008-08-03 21:15:08 -07:00
tc_act [PKT_SCHED]: Add stateless NAT 2007-10-10 16:53:11 -07:00
tipc tipc: Remove unneeded parameter to tipc_createport_raw() 2008-07-14 22:42:19 -07:00
act_api.h [NET_SCHED]: act_api: use PTR_ERR in tcf_action_init/tcf_action_get 2008-01-28 15:11:17 -08:00
addrconf.h netns: Add network namespace argument to rt6_fill_node() and ipv6_dev_get_saddr() 2008-08-14 15:33:21 -07:00
af_rxrpc.h [AF_RXRPC]: Add an interface to the AF_RXRPC module for the AFS filesystem to use 2007-04-26 15:50:17 -07:00
af_unix.h [PATCH] f_count may wrap around 2008-07-26 20:53:40 -04:00
ah.h [IPSEC]: Get rid of ipv6_{auth,esp,comp}_hdr 2007-10-10 16:55:55 -07:00
arp.h [NETFILTER]: ebtables: remove casts, use consts 2008-01-31 19:27:33 -08:00
atmclip.h
ax25.h [AX25] ax25_ds_timer: use mod_timer instead of add_timer 2008-02-12 17:53:34 -08:00
ax88796.h ax88796: add 93cx6 eeprom support 2007-10-10 16:53:56 -07:00
cfg80211.h nl80211/cfg80211: support for mesh, sta dumping 2008-03-06 15:30:41 -05:00
checksum.h [NET]: Move netfilter checksum helpers to net/core/utils.c 2008-01-28 14:55:14 -08:00
cipso_ipv4.h [NetLabel]: consolidate the struct socket/sock handling to just struct sock 2007-06-08 13:33:09 -07:00
compat.h net: Use standard structures for generic socket address structures. 2008-07-19 22:35:47 -07:00
datalink.h
dn_dev.h
dn_fib.h [DECNet]: Use rtnl registration interface 2007-04-25 22:27:12 -07:00
dn_neigh.h
dn_nsp.h
dn_route.h [NET]: Wrap netdevice hardware header creation. 2007-10-10 16:52:50 -07:00
dn.h [DECNET]: Another unnecessary net/tcp.h inclusion in net/dn.h 2007-07-10 23:02:12 -07:00
dsfield.h [NET]: Constify include/net/dsfield.h 2008-01-28 14:55:58 -08:00
dst.h net: Kill plain NET_XMIT_BYPASS. 2008-08-04 23:04:08 -07:00
esp.h [IPSEC]: Use crypto_aead and authenc in ESP 2008-01-31 19:27:02 -08:00
fib_rules.h net: add fib_rules_ops to flush_cache method 2008-07-05 19:01:28 -07:00
flow.h ipv4: remove unused field in struct flowi (include/net/flow.h). 2008-08-05 01:19:50 -07:00
garp.h vlan: Add GVRP support 2008-07-05 21:26:57 -07:00
gen_stats.h [NET_SCHED]: Convert packet schedulers from rtnetlink to new netlink API 2008-01-28 15:11:10 -08:00
genetlink.h netlink: Improve returned error codes 2008-06-03 16:36:54 -07:00
icmp.h mib: put icmpmsg statistics on struct net 2008-07-18 04:04:22 -07:00
ieee80211_crypt.h [PATCH] Update my email address from jkmaline@cc.hut.fi to j@w1.fi 2007-04-28 11:01:01 -04:00
ieee80211_radiotap.h include: use get/put_unaligned_* helpers 2008-07-25 10:53:26 -07:00
ieee80211.h remove ieee80211_wx_{get,set}_auth() 2008-05-07 15:02:14 -04:00
if_inet6.h ipv6: make struct ipv6_devconf static 2008-07-22 14:21:58 -07:00
inet6_connection_sock.h
inet6_hashtables.h netns: introduce the net_hash_mix "salt" for hashes 2008-06-16 17:14:11 -07:00
inet_common.h [NETNS]: Inet control socket should not hold a namespace. 2008-04-03 14:28:30 -07:00
inet_connection_sock.h [INET]: Rename inet_csk_ctl_sock_create to inet_ctl_sock_create. 2008-04-03 14:22:32 -07:00
inet_ecn.h [IPV6]: Use appropriate sock tclass setting for routing lookup. 2008-04-13 23:40:51 -07:00
inet_frag.h [NET]: Rename inet_frag.h identifiers COMPLETE, FIRST_IN, LAST_IN to INET_FRAG_* 2008-03-28 16:35:27 -07:00
inet_hashtables.h netns: introduce the net_hash_mix "salt" for hashes 2008-06-16 17:14:11 -07:00
inet_sock.h netns: introduce the net_hash_mix "salt" for hashes 2008-06-16 17:14:11 -07:00
inet_timewait_sock.h netns : fix kernel panic in timewait socket destruction 2008-09-08 13:17:27 -07:00
inetpeer.h net: remove CVS keywords 2008-06-11 21:00:38 -07:00
ip6_checksum.h
ip6_fib.h [NETNS][IPV6] rt6_info - move rt6_info structure inside the namespace 2008-03-04 13:48:30 -08:00
ip6_route.h netns: Add network namespace argument to rt6_fill_node() and ipv6_dev_get_saddr() 2008-08-14 15:33:21 -07:00
ip6_tunnel.h net: remove CVS keywords 2008-06-11 21:00:38 -07:00
ip_fib.h [IPV4]: Fix compile error building without CONFIG_FS_PROC 2008-02-05 02:54:16 -08:00
ip_vs.h ipvs: Embed estimator object into stats object 2008-08-11 14:00:43 +02:00
ip.h [PATCH] sysctl: make sure that /proc/sys/net/ipv4 appears before per-ns ones 2008-07-26 20:53:10 -04:00
ipcomp.h ipsec: ipcomp - Merge IPComp implementations 2008-07-25 02:54:40 -07:00
ipconfig.h net: remove CVS keywords 2008-06-11 21:00:38 -07:00
ipip.h tunnels: Remove stat member from ip_tunnel struct. 2008-05-21 14:16:36 -07:00
ipv6.h net: missing bits of net-namespace / sysctl 2008-07-27 04:40:51 -07:00
ipx.h [SK_BUFF]: Introduce skb_transport_header(skb) 2007-04-25 22:25:31 -07:00
iw_handler.h wext: Emit event stream entries correctly when compat. 2008-06-16 18:50:49 -07:00
lapb.h
llc_c_ac.h
llc_c_ev.h
llc_c_st.h
llc_conn.h [NET]: Make socket creation namespace safe. 2007-10-10 16:49:07 -07:00
llc_if.h [LLC]: Kill static inline llc_addrany 2008-02-29 11:46:17 -08:00
llc_pdu.h [LLC]: skb allocation size for responses 2008-03-31 21:02:47 -07:00
llc_s_ac.h
llc_s_ev.h
llc_s_st.h
llc_sap.h [LLC]: skb allocation size for responses 2008-03-31 21:02:47 -07:00
llc.h [LLC]: station source mac address 2008-03-28 16:28:36 -07:00
mac80211.h mac80211: remove kdoc references to IEEE80211_HW_HOST_GEN_BEACON_TEMPLATE 2008-08-18 11:05:14 -04:00
mip6.h [IPV6] MIP6: Use our standard definitions for paddings. 2008-04-12 13:43:22 +09:00
ndisc.h ndisc: Add missing strategies for per-device retrans timer/reachable time settings. 2008-05-19 16:25:42 -07:00
neighbour.h core: add stat to track unresolved discards in neighbor cache 2008-07-16 20:50:49 -07:00
net_namespace.h [PATCH] beginning of sysctl cleanup - ctl_table_set 2008-07-26 20:53:08 -04:00
netdma.h
netevent.h [NET]: Remove unnecessary inclusion of dst.h 2008-01-28 14:53:38 -08:00
netlabel.h Audit: collect sessionid in netlink messages 2008-04-28 06:18:03 -04:00
netlink.h netlink: fix overrun in attribute iteration 2008-09-11 19:05:29 -07:00
netrom.h
nexthop.h
p8022.h
pkt_cls.h [PKT_SCHED]: Pass real namespace in net scheduler classifiers. 2008-03-27 16:53:37 -07:00
pkt_sched.h pkt_sched: Fix qdisc list locking 2008-08-22 03:31:39 -07:00
protocol.h [NETNS]: Drop packets in the non-initial namespace on the per/protocol basis. 2008-03-24 15:33:00 -07:00
psnap.h
raw.h [RAW]: Add raw_hashinfo member on struct proto. 2008-03-22 16:56:51 -07:00
rawv6.h [IPv6] RAW: Compact the API for the kernel 2008-01-28 14:54:29 -08:00
red.h [NET_SCHED]: turn PSCHED_GET_TIME into inline function 2007-04-25 22:27:55 -07:00
request_sock.h tcp: Fix kernel panic when calling tcp_v(4/6)_md5_do_lookup 2008-08-06 23:50:04 -07:00
rose.h rose: improving AX25 routing frames via ROSE network 2008-06-17 17:08:32 -07:00
route.h net: missing bits of net-namespace / sysctl 2008-07-27 04:40:51 -07:00
rtnetlink.h [RTNL]: Introduce the rtnl_kill_links helper. 2008-04-16 00:46:52 -07:00
sch_generic.h pkt_sched: Fix sch_tree_lock() 2008-08-27 02:27:10 -07:00
scm.h pid namespaces: changes to show virtual ids to user 2007-10-19 11:53:40 -07:00
slhc_vj.h
snmp.h net: remove CVS keywords 2008-06-11 21:00:38 -07:00
sock.h sock: add net to prot->enter_memory_pressure callback 2008-07-16 20:28:10 -07:00
stp.h net: Add STP demux layer 2008-07-05 21:25:39 -07:00
syncppp.h Remove bogus variables from syncppp.[ch] 2008-07-23 23:00:31 +02:00
tcp_states.h
tcp.h tcp: options clean up 2008-07-19 00:04:31 -07:00
timewait_sock.h
transp_v6.h net: change proto destroy method to return void 2008-06-14 17:04:49 -07:00
udp.h mib: put udplite statistics on struct net 2008-07-18 04:03:45 -07:00
udplite.h [UDP]: Revert udplite and code split. 2008-03-06 16:22:02 -08:00
wext.h wext: Dispatch and handle compat ioctls entirely in net/wireless/wext.c 2008-06-16 18:32:46 -07:00
wireless.h mac80211: allow disable FAT in specific configurations 2008-06-03 15:00:26 -04:00
x25.h
x25device.h [SK_BUFF]: Introduce skb_reset_mac_header(skb) 2007-04-25 22:24:32 -07:00
xfrm.h xfrm: convert empty xfrm_audit_* macros to functions 2008-05-03 21:03:01 -07:00