From: Martin Murray <murrayma@citi.umich.edu>
Date: Wed, 11 Jan 2006 05:02:29 +0000 (-0800)
Subject: [PATCH] Fix DoS in netlink_rcv_skb() (CVE-2006-0035)
X-Git-Tag: v2.6.15.1~4
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7abeff5a23abb2d0edc54cc1cc3acaf886ea98ca;p=thirdparty%2Fkernel%2Fstable.git

[PATCH] Fix DoS in netlink_rcv_skb() (CVE-2006-0035)

Sanity check nlmsg_len during netlink_rcv_skb.  An nlmsg_len == 0 can
cause infinite loop in kernel, effectively DoSing machine.  Noted by
Martin Murray.

Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
---

diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index a002f2b686f25..fc5a735ba0ac6 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -1422,7 +1422,7 @@ static int netlink_rcv_skb(struct sk_buff *skb, int (*cb)(struct sk_buff *,
 	while (skb->len >= nlmsg_total_size(0)) {
 		nlh = (struct nlmsghdr *) skb->data;
 
-		if (skb->len < nlh->nlmsg_len)
+		if (nlh->nlmsg_len < NLMSG_HDRLEN || skb->len < nlh->nlmsg_len)
 			return 0;
 
 		total_len = min(NLMSG_ALIGN(nlh->nlmsg_len), skb->len);