mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-12-10 16:34:22 -05:00
43 lines
1.7 KiB
Diff
43 lines
1.7 KiB
Diff
|
From 3d63c530096ccd118ab7078c7b9f93c040f803bd Mon Sep 17 00:00:00 2001
|
||
|
From: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>
|
||
|
Date: Thu, 12 Jan 2017 22:09:16 -0700
|
||
|
Subject: [PATCH] net: rmnet_data: Fix incorrect netlink handling
|
||
|
|
||
|
rmnet_data netlink handler currently does not check for the
|
||
|
incoming process pid and instead just loops back the pid.
|
||
|
A malicious root user could potentially send a message with
|
||
|
source pid 0 and this could cause rmnet_data to loop the message
|
||
|
back till an out of memory situation occurs.
|
||
|
|
||
|
rmnet_data also does not check for the message length of the
|
||
|
incoming netlink messages and instead casts the netlink message
|
||
|
without checking for the boundary.
|
||
|
|
||
|
Fix these two scenarios by adding the pid and message length checks
|
||
|
respectively.
|
||
|
|
||
|
Bug: 31252965
|
||
|
CRs-Fixed: 1098801
|
||
|
Change-Id: I172c1a7112e67e82959b397af7ddfd963d819bdc
|
||
|
Signed-off-by: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>
|
||
|
---
|
||
|
net/rmnet_data/rmnet_data_config.c | 5 +++++
|
||
|
1 file changed, 5 insertions(+)
|
||
|
|
||
|
diff --git a/net/rmnet_data/rmnet_data_config.c b/net/rmnet_data/rmnet_data_config.c
|
||
|
index f6653588c023d..d47389806161e 100644
|
||
|
--- a/net/rmnet_data/rmnet_data_config.c
|
||
|
+++ b/net/rmnet_data/rmnet_data_config.c
|
||
|
@@ -529,6 +529,11 @@ void rmnet_config_netlink_msg_handler(struct sk_buff *skb)
|
||
|
nlmsg_header = (struct nlmsghdr *) skb->data;
|
||
|
rmnet_header = (struct rmnet_nl_msg_s *) nlmsg_data(nlmsg_header);
|
||
|
|
||
|
+ if (!nlmsg_header->nlmsg_pid ||
|
||
|
+ (nlmsg_header->nlmsg_len < sizeof(struct nlmsghdr) +
|
||
|
+ sizeof(struct rmnet_nl_msg_s)))
|
||
|
+ return;
|
||
|
+
|
||
|
LOGL("Netlink message pid=%d, seq=%d, length=%d, rmnet_type=%d",
|
||
|
nlmsg_header->nlmsg_pid,
|
||
|
nlmsg_header->nlmsg_seq,
|