From f8d54afc4c7a4c41deaa43fbcfffc2976094d342 Mon Sep 17 00:00:00 2001 From: Robert Shearman Date: Fri, 6 Mar 2015 10:47:00 +0000 Subject: mpls: Properly validate RTA_VIA payload length If the nla length is less than 2 then the nla data could be accessed beyond the accessible bounds. So ensure that the nla is big enough to at least read the via_family before doing so. Replace magic value of 2. Fixes: 03c0566542f4 ("mpls: Basic support for adding and removing routes") Cc: Eric W. Biederman Signed-off-by: Robert Shearman Acked-by: "Eric W. Biederman" Signed-off-by: David S. Miller --- net/mpls/af_mpls.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'net/mpls') diff --git a/net/mpls/af_mpls.c b/net/mpls/af_mpls.c index 20cf48a8593d..4f265c677eca 100644 --- a/net/mpls/af_mpls.c +++ b/net/mpls/af_mpls.c @@ -586,8 +586,11 @@ static int rtm_to_route_config(struct sk_buff *skb, struct nlmsghdr *nlh, case RTA_VIA: { struct rtvia *via = nla_data(nla); + if (nla_len(nla) < offsetof(struct rtvia, rtvia_addr)) + goto errout; cfg->rc_via_family = via->rtvia_family; - cfg->rc_via_alen = nla_len(nla) - 2; + cfg->rc_via_alen = nla_len(nla) - + offsetof(struct rtvia, rtvia_addr); if (cfg->rc_via_alen > MAX_VIA_ALEN) goto errout; -- cgit v1.2.3