Re: [PATCH nf] netfilter: nfnetlink: correctly validate length of batch messages

On Tue, Feb 02, 2016 at 01:36:45PM -0500, phil.turnb...@oracle.com wrote: > From: Phil Turnbull > > If nlh->nlmsg_len is zero then an infinite loop is triggered because > 'skb_pull(skb, msglen);' pulls zero bytes. > > The calculation in nlmsg_len() underflows if

[PATCH nf] netfilter: nfnetlink: correctly validate length of batch messages

From: Phil Turnbull If nlh->nlmsg_len is zero then an infinite loop is triggered because 'skb_pull(skb, msglen);' pulls zero bytes. The calculation in nlmsg_len() underflows if 'nlh->nlmsg_len < NLMSG_HDRLEN' which bypasses the length validation and will later trigger