mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-09-26 12:26:11 +00:00
bpf: Use nla_ok() instead of checking nla_len directly
nla_len may also be too short to be sane, in which case after
recent changes nla_len() will return a wrapped value.
Fixes: 172db56d90 ("netlink: Return unsigned value for nla_len()")
Reported-by: syzbot+f43a23b6e622797c7a28@syzkaller.appspotmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://lore.kernel.org/bpf/20231218231904.260440-1-kuba@kernel.org
This commit is contained in:
Jakub Kicinski
Daniel Borkmann
parent
f7dd48ea76
commit
2130c519a4
1 changed files with 1 additions and 1 deletions
|
|
@ -203,7 +203,7 @@ BPF_CALL_3(bpf_skb_get_nlattr_nest, struct sk_buff *, skb, u32, a, u32, x)
|
|||
return 0;
|
||||
|
||||
nla = (struct nlattr *) &skb->data[a];
|
||||
if (nla->nla_len > skb->len - a)
|
||||
if (!nla_ok(nla, skb->len - a))
|
||||
return 0;
|
||||
|
||||
nla = nla_find_nested(nla, x);
|
||||
|
|
|
|||
Loading…
Reference in a new issue