mirror of https://github.com/mirror/busybox.git
Steve Grubb writes:
Hello, Last November a bug was found in iproute. CAN-2003-0856 has more information. Basically, netlink packets can come from any user. If a program performs action based on netlink packets, they must be examined to make sure they came from the place they are expected (the kernel). Attached is a patch against pre8. Please apply this before releasing 1.00 final. All users of busy box may be vulnerable to local attacks without it. Best Regards, Steve Grubb1_00_stable_10817
Eric Andersen
parent
5ec58285c3
commit
6c8161d69f
|
|
@ -161,7 +161,8 @@ int rtnl_dump_filter(struct rtnl_handle *rth,
|
||||||
while (NLMSG_OK(h, status)) {
|
while (NLMSG_OK(h, status)) {
|
||||||
int err;
|
int err;
|
||||||
|
|
||||||
if (h->nlmsg_pid != rth->local.nl_pid ||
|
if (nladdr.nl_pid != 0 ||
|
||||||
|
h->nlmsg_pid != rth->local.nl_pid ||
|
||||||
h->nlmsg_seq != rth->dump) {
|
h->nlmsg_seq != rth->dump) {
|
||||||
if (junk) {
|
if (junk) {
|
||||||
err = junk(&nladdr, h, arg2);
|
err = junk(&nladdr, h, arg2);
|
||||||
|
|
@ -270,7 +271,8 @@ int rtnl_talk(struct rtnl_handle *rtnl, struct nlmsghdr *n, pid_t peer,
|
||||||
bb_error_msg_and_die("!!!malformed message: len=%d", len);
|
bb_error_msg_and_die("!!!malformed message: len=%d", len);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (h->nlmsg_pid != rtnl->local.nl_pid ||
|
if (nladdr.nl_pid != peer ||
|
||||||
|
h->nlmsg_pid != rtnl->local.nl_pid ||
|
||||||
h->nlmsg_seq != seq) {
|
h->nlmsg_seq != seq) {
|
||||||
if (junk) {
|
if (junk) {
|
||||||
l_err = junk(&nladdr, h, jarg);
|
l_err = junk(&nladdr, h, jarg);
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue