summaryrefslogtreecommitdiff
path: root/networking/libiproute
diff options
context:
space:
mode:
authorEric Andersen2004-05-05 07:05:32 +0000
committerEric Andersen2004-05-05 07:05:32 +0000
commit6c8161d69fe9fce0f862b678aaa84866aaaeff8f (patch)
tree28ca3d47c5325c070ffc3e84b136d8bed02a328f /networking/libiproute
parent5ec58285c3990ebab9900295f1a1d32824338719 (diff)
downloadbusybox-6c8161d69fe9fce0f862b678aaa84866aaaeff8f.zip
busybox-6c8161d69fe9fce0f862b678aaa84866aaaeff8f.tar.gz
Steve Grubb writes:
Hello, Last November a bug was found in iproute. CAN-2003-0856 has more information. Basically, netlink packets can come from any user. If a program performs action based on netlink packets, they must be examined to make sure they came from the place they are expected (the kernel). Attached is a patch against pre8. Please apply this before releasing 1.00 final. All users of busy box may be vulnerable to local attacks without it. Best Regards, Steve Grubb
Diffstat (limited to 'networking/libiproute')
-rw-r--r--networking/libiproute/libnetlink.c6
1 files changed, 4 insertions, 2 deletions
diff --git a/networking/libiproute/libnetlink.c b/networking/libiproute/libnetlink.c
index 861daef..5545be8 100644
--- a/networking/libiproute/libnetlink.c
+++ b/networking/libiproute/libnetlink.c
@@ -161,7 +161,8 @@ int rtnl_dump_filter(struct rtnl_handle *rth,
while (NLMSG_OK(h, status)) {
int err;
- if (h->nlmsg_pid != rth->local.nl_pid ||
+ if (nladdr.nl_pid != 0 ||
+ h->nlmsg_pid != rth->local.nl_pid ||
h->nlmsg_seq != rth->dump) {
if (junk) {
err = junk(&nladdr, h, arg2);
@@ -270,7 +271,8 @@ int rtnl_talk(struct rtnl_handle *rtnl, struct nlmsghdr *n, pid_t peer,
bb_error_msg_and_die("!!!malformed message: len=%d", len);
}
- if (h->nlmsg_pid != rtnl->local.nl_pid ||
+ if (nladdr.nl_pid != peer ||
+ h->nlmsg_pid != rtnl->local.nl_pid ||
h->nlmsg_seq != seq) {
if (junk) {
l_err = junk(&nladdr, h, jarg);