netfilter: nfnetlink: validate nfnetlink header from batch

commit 9ea2aa8b7dba9e99544c4187cc298face254569f upstream. Make sure there is enough room for the nfnetlink header in the netlink messages that are part of the batch. There is a similar check in netlink_rcv_skb(). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Pablo Neira Ayuso <pablo@netfilter.org> 2015-01-04 15:20:29 +0100
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2015-01-29 17:40:46 -0800
commit: 7266a6b028384bec87fe23128266f00589580f74 (patch)
tree: 08ff8bc7b112157989fd9e2f1b5265ce7f3c3371
parent: 513c66820333a2cc7b54eaa6a7b5c34f6ffaf770 (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c
index 13c2e17bbe27..c6619d4bcc32 100644
--- a/net/netfilter/nfnetlink.c
+++ b/net/netfilter/nfnetlink.c
@@ -321,7 +321,8 @@ replay:
 		nlh = nlmsg_hdr(skb);
 		err = 0;
 
-		if (nlh->nlmsg_len < NLMSG_HDRLEN) {
+		if (nlmsg_len(nlh) < sizeof(struct nfgenmsg) ||
+		    skb->len < nlh->nlmsg_len) {
 			err = -EINVAL;
 			goto ack;
 		}
author	Pablo Neira Ayuso <pablo@netfilter.org>	2015-01-04 15:20:29 +0100
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2015-01-29 17:40:46 -0800
commit	7266a6b028384bec87fe23128266f00589580f74 (patch)
tree	08ff8bc7b112157989fd9e2f1b5265ce7f3c3371
parent	513c66820333a2cc7b54eaa6a7b5c34f6ffaf770 (diff)