projects / linux.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: f7dd48e)
bpf: Use nla_ok() instead of checking nla_len directly
authorJakub Kicinski <kuba@kernel.org>
Mon, 18 Dec 2023 23:19:04 +0000 (15:19 -0800)
committerDaniel Borkmann <daniel@iogearbox.net>
Tue, 19 Dec 2023 14:20:40 +0000 (15:20 +0100)
nla_len may also be too short to be sane, in which case after
recent changes nla_len() will return a wrapped value.

Fixes: 172db56d90d2 ("netlink: Return unsigned value for nla_len()")
Reported-by: syzbot+f43a23b6e622797c7a28@syzkaller.appspotmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://lore.kernel.org/bpf/20231218231904.260440-1-kuba@kernel.org
net/core/filter.c patch | blob | history

diff --git a/net/core/filter.c b/net/core/filter.c
index 4ff6100c6a2733ffe3072d475758f46e3fcda21b..3cc52b82bab8a25feac5c75b33b27dd40086c6ea 100644 (file)
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -203,7 +203,7 @@ BPF_CALL_3(bpf_skb_get_nlattr_nest, struct sk_buff *, skb, u32, a, u32, x)
                return 0;
 
        nla = (struct nlattr *) &skb->data[a];
-       if (nla->nla_len > skb->len - a)
+       if (!nla_ok(nla, skb->len - a))
                return 0;
 
        nla = nla_find_nested(nla, x);
ep93xx device tree rework repo: git://git.maquefel.me/linux.git