summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMathias Krause <minipli@googlemail.com>2013-09-30 22:03:07 +0200
committerDavid S. Miller <davem@davemloft.net>2013-10-02 16:03:50 -0400
commit162b2bedc084d2d908a04c93383ba02348b648b0 (patch)
tree374417ed599d2aa5c7e5920e0625e145ec4abb4f
parente727ca82e0e9616ab4844301e6bae60ca7327682 (diff)
downloadlinux-162b2bedc084d2d908a04c93383ba02348b648b0.tar.gz
linux-162b2bedc084d2d908a04c93383ba02348b648b0.tar.bz2
linux-162b2bedc084d2d908a04c93383ba02348b648b0.zip
connector: use nlmsg_len() to check message length
The current code tests the length of the whole netlink message to be at least as long to fit a cn_msg. This is wrong as nlmsg_len includes the length of the netlink message header. Use nlmsg_len() instead to fix this "off-by-NLMSG_HDRLEN" size check. Cc: stable@vger.kernel.org # v2.6.14+ Signed-off-by: Mathias Krause <minipli@googlemail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--drivers/connector/connector.c7
1 files changed, 4 insertions, 3 deletions
diff --git a/drivers/connector/connector.c b/drivers/connector/connector.c
index 6ecfa758942c..0daa11e418b1 100644
--- a/drivers/connector/connector.c
+++ b/drivers/connector/connector.c
@@ -157,17 +157,18 @@ static int cn_call_callback(struct sk_buff *skb)
static void cn_rx_skb(struct sk_buff *__skb)
{
struct nlmsghdr *nlh;
- int err;
struct sk_buff *skb;
+ int len, err;
skb = skb_get(__skb);
if (skb->len >= NLMSG_HDRLEN) {
nlh = nlmsg_hdr(skb);
+ len = nlmsg_len(nlh);
- if (nlh->nlmsg_len < sizeof(struct cn_msg) ||
+ if (len < (int)sizeof(struct cn_msg) ||
skb->len < nlh->nlmsg_len ||
- nlh->nlmsg_len > CONNECTOR_MAX_MSG_SIZE) {
+ len > CONNECTOR_MAX_MSG_SIZE) {
kfree_skb(skb);
return;
}