[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] CVE request: libcgroup: Failure to verify netlink messages
From: Steve Grubb <sgrubb () redhat ! com>
Date: 2011-02-25 16:50:33
Message-ID: 201102251150.33261.sgrubb () redhat ! com
[Download RAW message or body]
On Friday, February 25, 2011 10:43:20 am Nelson Elhage wrote:
> On Fri, Feb 25, 2011 at 10:20:02AM -0500, Steve Grubb wrote:
> > The current patch does not check if (from_nla_len != sizeof(from_nla))
> > before making decisions based on the header. I contacted upstream about
> > this.
>
> From my reading of the netlink code, recvmsg() / recvfrom() on a netlink
> socket will never return a from_nla_len != sizeof(struct sockaddaddr_nl).
> Am I missing something, did this change at some point, or are you just
> suggesting general paranoid good practice? It's probably good advice in
> any case, I'm just curious whether you're aware of cases where this can
> actually be a problem.
I don't know what is considered the ultimate authority on this. You can look at libnl
in lib/nl.c you find this:
466 if (msg.msg_namelen != sizeof(struct sockaddr_nl)) {
467 free(msg.msg_control);
468 free(*buf);
469 return -NLE_NOADDR;
470 }
There are many projects that do something similar. However, looking at glibc, they do
other kinds of validation like the sequence number.
-Steve
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic