Re: [PATCH v2] decnet: dn_rtmsg: Improve input length sanitization in dnrmg_receive_user_skb

From: Mateusz Jurczyk Date: Wed, 7 Jun 2017 16:41:57 +0200 > On Wed, Jun 7, 2017 at 4:18 PM, Florian Westphal wrote: >> Mateusz Jurczyk wrote: >>> Verify that the length of the socket buffer is sufficient to cover the >>> nlmsghdr

Re: [PATCH v2] decnet: dn_rtmsg: Improve input length sanitization in dnrmg_receive_user_skb

On Wed, Jun 7, 2017 at 4:18 PM, Florian Westphal wrote: > Mateusz Jurczyk wrote: >> Verify that the length of the socket buffer is sufficient to cover the >> nlmsghdr structure before accessing the nlh->nlmsg_len field for further >> input sanitization. If

[PATCH v2] decnet: dn_rtmsg: Improve input length sanitization in dnrmg_receive_user_skb

Verify that the length of the socket buffer is sufficient to cover the nlmsghdr structure before accessing the nlh->nlmsg_len field for further input sanitization. If the client only supplies 1-3 bytes of data in sk_buff, then nlh->nlmsg_len remains partially uninitialized and contains leftover

Re: [PATCH v2] decnet: dn_rtmsg: Improve input length sanitization in dnrmg_receive_user_skb

Mateusz Jurczyk wrote: > Verify that the length of the socket buffer is sufficient to cover the > nlmsghdr structure before accessing the nlh->nlmsg_len field for further > input sanitization. If the client only supplies 1-3 bytes of data in > sk_buff, then nlh->nlmsg_len