summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorEric Andersen2004-05-05 07:05:32 +0000
committerEric Andersen2004-05-05 07:05:32 +0000
commit6c8161d69fe9fce0f862b678aaa84866aaaeff8f (patch)
tree28ca3d47c5325c070ffc3e84b136d8bed02a328f
parent5ec58285c3990ebab9900295f1a1d32824338719 (diff)
downloadbusybox-6c8161d69fe9fce0f862b678aaa84866aaaeff8f.zip
busybox-6c8161d69fe9fce0f862b678aaa84866aaaeff8f.tar.gz
Steve Grubb writes:
Hello, Last November a bug was found in iproute. CAN-2003-0856 has more information. Basically, netlink packets can come from any user. If a program performs action based on netlink packets, they must be examined to make sure they came from the place they are expected (the kernel). Attached is a patch against pre8. Please apply this before releasing 1.00 final. All users of busy box may be vulnerable to local attacks without it. Best Regards, Steve Grubb
-rw-r--r--networking/libiproute/libnetlink.c6
1 files changed, 4 insertions, 2 deletions
diff --git a/networking/libiproute/libnetlink.c b/networking/libiproute/libnetlink.c
index 861daef..5545be8 100644
--- a/networking/libiproute/libnetlink.c
+++ b/networking/libiproute/libnetlink.c
@@ -161,7 +161,8 @@ int rtnl_dump_filter(struct rtnl_handle *rth,
while (NLMSG_OK(h, status)) {
int err;
- if (h->nlmsg_pid != rth->local.nl_pid ||
+ if (nladdr.nl_pid != 0 ||
+ h->nlmsg_pid != rth->local.nl_pid ||
h->nlmsg_seq != rth->dump) {
if (junk) {
err = junk(&nladdr, h, arg2);
@@ -270,7 +271,8 @@ int rtnl_talk(struct rtnl_handle *rtnl, struct nlmsghdr *n, pid_t peer,
bb_error_msg_and_die("!!!malformed message: len=%d", len);
}
- if (h->nlmsg_pid != rtnl->local.nl_pid ||
+ if (nladdr.nl_pid != peer ||
+ h->nlmsg_pid != rtnl->local.nl_pid ||
h->nlmsg_seq != seq) {
if (junk) {
l_err = junk(&nladdr, h, jarg);