Steve Grubb writes:

Hello,

Last November a bug was found in iproute. CAN-2003-0856 has more information.
Basically, netlink packets can come from any user. If a program performs action
based on netlink packets, they must be examined to make sure they came from the
place they are expected (the kernel).

Attached is a patch against pre8. Please apply this before releasing 1.00 final.
All users of busy box may be vulnerable to local attacks without it.

Best Regards,
Steve Grubb
This commit is contained in:
Eric Andersen 2004-05-05 07:05:32 +00:00
parent 5ec58285c3
commit 6c8161d69f

View File

@ -161,7 +161,8 @@ int rtnl_dump_filter(struct rtnl_handle *rth,
while (NLMSG_OK(h, status)) { while (NLMSG_OK(h, status)) {
int err; int err;
if (h->nlmsg_pid != rth->local.nl_pid || if (nladdr.nl_pid != 0 ||
h->nlmsg_pid != rth->local.nl_pid ||
h->nlmsg_seq != rth->dump) { h->nlmsg_seq != rth->dump) {
if (junk) { if (junk) {
err = junk(&nladdr, h, arg2); err = junk(&nladdr, h, arg2);
@ -270,7 +271,8 @@ int rtnl_talk(struct rtnl_handle *rtnl, struct nlmsghdr *n, pid_t peer,
bb_error_msg_and_die("!!!malformed message: len=%d", len); bb_error_msg_and_die("!!!malformed message: len=%d", len);
} }
if (h->nlmsg_pid != rtnl->local.nl_pid || if (nladdr.nl_pid != peer ||
h->nlmsg_pid != rtnl->local.nl_pid ||
h->nlmsg_seq != seq) { h->nlmsg_seq != seq) {
if (junk) { if (junk) {
l_err = junk(&nladdr, h, jarg); l_err = junk(&nladdr, h, jarg);