netfilter: nfnetlink: validate nfnetlink header from batch

Make sure there is enough room for the nfnetlink header in the netlink messages that are part of the batch. There is a similar check in netlink_rcv_skb(). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2015-01-04 15:20:29 +01:00 · 2015-01-04 15:20:29 +01:00 · 9ea2aa8b7d
parent 8ca3f5e974
commit 9ea2aa8b7d
1 changed files with 2 additions and 1 deletions
--- a/net/netfilter/nfnetlink.c
+++ b/net/netfilter/nfnetlink.c
@ -321,7 +321,8 @@ replay:
 		nlh = nlmsg_hdr(skb);
 		err = 0;

-		if (nlh->nlmsg_len < NLMSG_HDRLEN) {
+		if (nlmsg_len(nlh) < sizeof(struct nfgenmsg) ||
+		    skb->len < nlh->nlmsg_len) {
 			err = -EINVAL;
 			goto ack;
 		}