Commit 2130c519 authored Dec 18, 2023 by Jakub Kicinski Committed by Daniel Borkmann Dec 19, 2023

bpf: Use nla_ok() instead of checking nla_len directly



nla_len may also be too short to be sane, in which case after
recent changes nla_len() will return a wrapped value.

Fixes: 172db56d ("netlink: Return unsigned value for nla_len()")
Reported-by:  <syzbot+f43a23b6e622797c7a28@syzkaller.appspotmail.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://lore.kernel.org/bpf/20231218231904.260440-1-kuba@kernel.org

parent f7dd48ea

net/core/filter.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -203,7 +203,7 @@ BPF_CALL_3(bpf_skb_get_nlattr_nest, struct sk_buff *, skb, u32, a, u32, x)
		return 0;

		nla = (struct nlattr *) &skb->data[a];
		if (nla->nla_len > skb->len - a)
		if (!nla_ok(nla, skb->len - a))
		return 0;

		nla = nla_find_nested(nla, x);