linux/include
Vegard Nossum 619e803d3c netlink: fix (theoretical) overrun in message iteration
See commit 1045b03e07 ("netlink: fix
overrun in attribute iteration") for a detailed explanation of why
this patch is necessary.

In short, nlmsg_next() can make "remaining" go negative, and the
remaining >= sizeof(...) comparison will promote "remaining" to an
unsigned type, which means that the expression will evaluate to
true for negative numbers, even though it was not intended.

I put "theoretical" in the title because I have no evidence that
this can actually happen, but I suspect that a crafted netlink
packet can trigger some badness.

Note that the last test, which seemingly has the exact same
problem (also true for nla_ok()), is perfectly OK, since we
already know that remaining is positive.

Signed-off-by: Vegard Nossum <vegard.nossum@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2008-12-25 17:21:17 -08:00
..
acpi ACPICA: disable _BIF warning 2008-11-27 02:17:30 -05:00
asm-arm
asm-frv
asm-generic atomic: fix a typo in atomic_long_xchg() 2008-12-10 08:01:53 -08:00
asm-h8300
asm-m32r
asm-m68k
asm-mn10300 MN10300: Fix __put_user_asm8() 2008-12-10 13:34:33 -08:00
asm-xtensa
crypto
drm drm: move drm vblank initialization/cleanup to driver load/unload 2008-11-25 09:49:03 +10:00
keys
linux net: Remove unused netdev arg from some NAPI interfaces. 2008-12-22 20:43:12 -08:00
math-emu
media
mtd
net netlink: fix (theoretical) overrun in message iteration 2008-12-25 17:21:17 -08:00
pcmcia
rdma
rxrpc
scsi
sound
trace
video Revert "radeonfb: accelerate imageblit and other improvements" 2008-12-10 16:53:32 -08:00
xen
Kbuild