Merge: rtnetlink: Correct nested IFLA_VF_VLAN_LIST attribute validation

zampierilucas · zampierilucas · commit 7f25d81a3f67 · 2024-07-10T17:47:14.000Z
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/merge_requests/4518 JIRA: https://issues.redhat.com/browse/RHEL-39715 CVE: CVE-2024-36017 Upstream Status: all mainline in net.git Tested: boot-tested only Conflicts: None Signed-off-by: Davide Caratti <dcaratti@redhat.com> Approved-by: Sabrina Dubroca <sdubroca@redhat.com> Approved-by: Hangbin Liu <haliu@redhat.com> Approved-by: CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> Merged-by: Lucas Zampieri <lzampier@redhat.com>
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
@@ -2567,7 +2567,7 @@ static int do_setvfinfo(struct net_device *dev, struct nlattr **tb)
 
 		nla_for_each_nested(attr, tb[IFLA_VF_VLAN_LIST], rem) {
 			if (nla_type(attr) != IFLA_VF_VLAN_INFO ||
-			    nla_len(attr) < NLA_HDRLEN) {
+			    nla_len(attr) < sizeof(struct ifla_vf_vlan_info)) {
 				return -EINVAL;
 			}
 			if (len >= MAX_VLAN_LIST_LEN)

Original file line number	Diff line number	Diff line change
`@@ -2567,7 +2567,7 @@ static int do_setvfinfo(struct net_device dev, struct nlattr *tb)`
`2567`	`2567`
`2568`	`2568`	`nla_for_each_nested(attr, tb[IFLA_VF_VLAN_LIST], rem) {`
`2569`	`2569`	`if (nla_type(attr) != IFLA_VF_VLAN_INFO \|\|`
`2570`		`- nla_len(attr) < NLA_HDRLEN) {`
	`2570`	`+ nla_len(attr) < sizeof(struct ifla_vf_vlan_info)) {`
`2571`	`2571`	`return -EINVAL;`
`2572`	`2572`	`}`
`2573`	`2573`	`if (len >= MAX_VLAN_LIST_LEN)`