From 3d63c530096ccd118ab7078c7b9f93c040f803bd Mon Sep 17 00:00:00 2001 From: Subash Abhinov Kasiviswanathan Date: Thu, 12 Jan 2017 22:09:16 -0700 Subject: [PATCH] net: rmnet_data: Fix incorrect netlink handling rmnet_data netlink handler currently does not check for the incoming process pid and instead just loops back the pid. A malicious root user could potentially send a message with source pid 0 and this could cause rmnet_data to loop the message back till an out of memory situation occurs. rmnet_data also does not check for the message length of the incoming netlink messages and instead casts the netlink message without checking for the boundary. Fix these two scenarios by adding the pid and message length checks respectively. Bug: 31252965 CRs-Fixed: 1098801 Change-Id: I172c1a7112e67e82959b397af7ddfd963d819bdc Signed-off-by: Subash Abhinov Kasiviswanathan --- net/rmnet_data/rmnet_data_config.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/net/rmnet_data/rmnet_data_config.c b/net/rmnet_data/rmnet_data_config.c index f6653588c023d..d47389806161e 100644 --- a/net/rmnet_data/rmnet_data_config.c +++ b/net/rmnet_data/rmnet_data_config.c @@ -529,6 +529,11 @@ void rmnet_config_netlink_msg_handler(struct sk_buff *skb) nlmsg_header = (struct nlmsghdr *) skb->data; rmnet_header = (struct rmnet_nl_msg_s *) nlmsg_data(nlmsg_header); + if (!nlmsg_header->nlmsg_pid || + (nlmsg_header->nlmsg_len < sizeof(struct nlmsghdr) + + sizeof(struct rmnet_nl_msg_s))) + return; + LOGL("Netlink message pid=%d, seq=%d, length=%d, rmnet_type=%d", nlmsg_header->nlmsg_pid, nlmsg_header->nlmsg_seq,