From ad8e4b75c8a7bed475d72ce09bf5267188621961 Mon Sep 17 00:00:00 2001 From: Martin Murray Date: Tue, 10 Jan 2006 13:02:29 -0800 Subject: [PATCH] [AF_NETLINK]: Fix DoS in netlink_rcv_skb() From: Martin Murray Sanity check nlmsg_len during netlink_rcv_skb. An nlmsg_len == 0 can cause infinite loop in kernel, effectively DoSing machine. Noted by Matin Murray. Signed-off-by: Chris Wright Signed-off-by: David S. Miller --- net/netlink/af_netlink.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c index a67f1b44c9..bb50c8a9fc 100644 --- a/net/netlink/af_netlink.c +++ b/net/netlink/af_netlink.c @@ -1422,7 +1422,7 @@ static int netlink_rcv_skb(struct sk_buff *skb, int (*cb)(struct sk_buff *, while (skb->len >= nlmsg_total_size(0)) { nlh = (struct nlmsghdr *) skb->data; - if (skb->len < nlh->nlmsg_len) + if (nlh->nlmsg_len < NLMSG_HDRLEN || skb->len < nlh->nlmsg_len) return 0; total_len = min(NLMSG_ALIGN(nlh->nlmsg_len), skb->len); -- 2.39.5