diff options
| author | Subash Abhinov Kasiviswanathan <subashab@codeaurora.org> | 2017-01-12 22:09:16 -0700 |
|---|---|---|
| committer | Pat Tjin <pattjin@google.com> | 2017-01-19 06:16:16 +0000 |
| commit | d3d680c3b8eb289cf763c5c8af95a0bf9dbda8c8 (patch) | |
| tree | c415f56942f91a2f3eb81089cbfee24be59d63cd | |
| parent | 44e17a6f90b5d4eb99cf69e0b8bcf5441f46f5b9 (diff) | |
net: rmnet_data: Fix incorrect netlink handlingandroid-7.1.1_r0.47
rmnet_data netlink handler currently does not check for the
incoming process pid and instead just loops back the pid.
A malicious root user could potentially send a message with
source pid 0 and this could cause rmnet_data to loop the message
back till an out of memory situation occurs.
rmnet_data also does not check for the message length of the
incoming netlink messages and instead casts the netlink message
without checking for the boundary.
Fix these two scenarios by adding the pid and message length checks
respectively.
Bug: 31252965
CRs-Fixed: 1098801
Change-Id: I172c1a7112e67e82959b397af7ddfd963d819bdc
Signed-off-by: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>
| -rw-r--r-- | net/rmnet_data/rmnet_data_config.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/net/rmnet_data/rmnet_data_config.c b/net/rmnet_data/rmnet_data_config.c index 6173d0bcc083..42fd5d803913 100644 --- a/net/rmnet_data/rmnet_data_config.c +++ b/net/rmnet_data/rmnet_data_config.c @@ -530,6 +530,11 @@ void rmnet_config_netlink_msg_handler(struct sk_buff *skb) nlmsg_header = (struct nlmsghdr *) skb->data; rmnet_header = (struct rmnet_nl_msg_s *) nlmsg_data(nlmsg_header); + if (!nlmsg_header->nlmsg_pid || + (nlmsg_header->nlmsg_len < sizeof(struct nlmsghdr) + + sizeof(struct rmnet_nl_msg_s))) + return; + LOGL("Netlink message pid=%d, seq=%d, length=%d, rmnet_type=%d", nlmsg_header->nlmsg_pid, nlmsg_header->nlmsg_seq, |