ipv4: provide stronger user input validation in nl_fib_input()

commit c64c0b3cac4c5b8cb093727d2c19743ea3965c0b upstream. Alexander reported a KMSAN splat caused by reads of uninitialized field (tb_id_in) from user provided struct fib_result_nl It turns out nl_fib_input() sanity tests on user input is a bit wrong : User can pretend nlh->nlmsg_len is big enough, but provide at sendmsg() time a too small buffer. Reported-by: Alexander Potapenko <glider@google.com> Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: Willy Tarreau <w@1wt.eu>
author: Eric Dumazet <edumazet@google.com> 2017-03-21 19:22:28 -0700
committer: Mister Oyster <oysterized@gmail.com> 2017-07-04 12:11:09 +0200
commit: 1bee9ed85a22642d4419cbe7aa62775c8aa65ea5 (patch)
tree: 9c87061ace24bdb6a62b6cdf284c592367f69dee /net/ipv4
parent: 7c69ee1bf2f856f0d82652d027f4a5c3e5e0b3a8 (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
index 5464901b8..80e374beb 100644
--- a/net/ipv4/fib_frontend.c
+++ b/net/ipv4/fib_frontend.c
@@ -990,7 +990,8 @@ static void nl_fib_input(struct sk_buff *skb)
 
 	net = sock_net(skb->sk);
 	nlh = nlmsg_hdr(skb);
-	if (skb->len < NLMSG_HDRLEN || skb->len < nlh->nlmsg_len ||
+	if (skb->len < nlmsg_total_size(sizeof(*frn)) ||
+	    skb->len < nlh->nlmsg_len ||
 	    nlmsg_len(nlh) < sizeof(*frn))
 		return;
author	Eric Dumazet <edumazet@google.com>	2017-03-21 19:22:28 -0700
committer	Mister Oyster <oysterized@gmail.com>	2017-07-04 12:11:09 +0200
commit	1bee9ed85a22642d4419cbe7aa62775c8aa65ea5 (patch)
tree	9c87061ace24bdb6a62b6cdf284c592367f69dee /net/ipv4
parent	7c69ee1bf2f856f0d82652d027f4a5c3e5e0b3a8 (diff)