netlink: Warn on unordered or illegal nla_nest_cancel() or nlmsg_cancel()

Calling nla_nest_cancel() in a different order as the nesting was built up can lead to negative offsets being calculated which results in skb_trim() being called with an underflowed unsigned int. Warn if mark < skb->data as it's definitely a bug. Signed-off-by: N Thomas Graf <tgraf@suug.ch> Signed-off-by: N David S. Miller <davem@davemloft.net>

netlink: Warn on unordered or illegal nla_nest_cancel() or nlmsg_cancel()
Calling nla_nest_cancel() in a different order as the nesting was built up can lead to negative offsets being calculated which results in skb_trim() being called with an underflowed unsigned int. Warn if mark < skb->data as it's definitely a bug. Signed-off-by: N Thomas Graf <tgraf@suug.ch> Signed-off-by: N David S. Miller <davem@davemloft.net>
149118d8 · Thomas Graf · David S. Miller · a515abd7 · 149118d8
隐藏空白更改
内联并排

Showing with 3 addition and 1 deletion

include/net/netlink.h include/net/netlink.h +3 -1

未找到文件。
--- a/include/net/netlink.h
+++ b/include/net/netlink.h
@@ -520,8 +520,10 @@ static inline void *nlmsg_get_pos(struct sk_buff *skb)
 */
 static inline void nlmsg_trim(struct sk_buff *skb, const void *mark)
 {
-	if (mark)
+	if (mark) {
+		WARN_ON((unsigned char *) mark < skb->data);
 		skb_trim(skb, (unsigned char *) mark - skb->data);
+	}
 }
 /**