On Tue, Feb 02, 2016 at 01:36:45PM -0500, phil.turnb...@oracle.com wrote:
> From: Phil Turnbull
>
> If nlh->nlmsg_len is zero then an infinite loop is triggered because
> 'skb_pull(skb, msglen);' pulls zero bytes.
>
> The calculation in nlmsg_len() underflows if
From: Phil Turnbull
If nlh->nlmsg_len is zero then an infinite loop is triggered because
'skb_pull(skb, msglen);' pulls zero bytes.
The calculation in nlmsg_len() underflows if 'nlh->nlmsg_len <
NLMSG_HDRLEN' which bypasses the length validation and will later
trigger