On Mon, Feb 24, 2020 at 5:53 PM Paul Moore <p...@paul-moore.com> wrote:
> This patch ensures that we always check the netlink payload length
> in audit_receive_msg() before we take any action on the payload
> itself.
>
> Cc: sta...@vger.kernel.org
> Reported-by: syzbot+399c44bf1f43b8747...@syzkaller.appspotmail.com
> Reported-by: syzbot+e4b12d8d202701f08...@syzkaller.appspotmail.com
> Signed-off-by: Paul Moore <p...@paul-moore.com>
> ---
> kernel/audit.c | 43 +++++++++++++++++++++++--------------------
> 1 file changed, 23 insertions(+), 20 deletions(-)
...
> diff --git a/kernel/audit.c b/kernel/audit.c
> index 17b0d523afb3..6e8b176bdb68 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -1314,11 +1314,14 @@ static int audit_receive_msg(struct sk_buff *skb,
> struct nlmsghdr *nlh)
> if (err)
> return err;
> break;
> - case AUDIT_SET_FEATURE:
> - err = audit_set_feature(skb);
> + case AUDIT_SET_FEATURE: {
> + if (data_len < sizeof(struct audit_features))
> + return -EINVAL;
> + err = audit_set_feature(data);
> if (err)
> return err;
> break;
> + }
Ooops, these braces are an artifact from a previous revision.
Consider them removed.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
