From: Eugene Teo <eteo@redhat.com> Date: Mon, 15 Sep 2008 13:45:55 +0800 Subject: [net] netlink: fix overrun in attribute iteration Message-id: 20080915054555.GA7605@kernel.sg O-Subject: [RHEL5.4 patch] BZ#462283 kernel: netlink: fix overrun in attribute iteration Bugzilla: 462283 RH-Acked-by: David Miller <davem@redhat.com> This is for bz#462283. kmemcheck reported this: kmemcheck: Caught 16-bit read from uninitialized memory (f6c1ba30) 0500110001508abf050010000500000002017300140000006f72672e66726565 i i i i i i i i i i i i i u u u u u u u u u u u u u u u u u u u ^ It turns out that remaining in nla_ok() can become negative due to alignment in nla_next(). But GCC promotes "remaining" to unsigned in the test against sizeof(*nla) above. Therefore the test succeeds, and the nla_for_each_attr() may access memory outside the received buffer. Backport of upstream commit: 1045b03e07d85f3545118510a587035536030c1c Signed-off-by: Eugene Teo <eteo@redhat.com> diff --git a/include/net/netlink.h b/include/net/netlink.h index 3f65c80..d200b99 100644 --- a/include/net/netlink.h +++ b/include/net/netlink.h @@ -655,7 +655,7 @@ static inline int nla_len(const struct nlattr *nla) */ static inline int nla_ok(const struct nlattr *nla, int remaining) { - return remaining >= sizeof(*nla) && + return remaining >= (int) sizeof(*nla) && nla->nla_len >= sizeof(*nla) && nla->nla_len <= remaining; }