nla_len may also be too short to be sane, in which case after
recent changes nla_len() will return a wrapped value.
Reported-by: syzbot+f43a23b6e622797c7a28@xxxxxxxxxxxxxxxxxxxxxxxxx
Fixes: 172db56d90d2 ("netlink: Return unsigned value for nla_len()")
Signed-off-by: Jakub Kicinski <kuba@xxxxxxxxxx>
---
CC: martin.lau@xxxxxxxxx
CC: daniel@xxxxxxxxxxxxx
CC: john.fastabend@xxxxxxxxx
CC: ast@xxxxxxxxxx
CC: andrii@xxxxxxxxxx
CC: song@xxxxxxxxxx
CC: yonghong.song@xxxxxxxxx
CC: kpsingh@xxxxxxxxxx
CC: sdf@xxxxxxxxxx
CC: haoluo@xxxxxxxxxx
CC: jolsa@xxxxxxxxxx
CC: keescook@xxxxxxxxxxxx
CC: bpf@xxxxxxxxxxxxxxx
---
net/core/filter.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/core/filter.c b/net/core/filter.c
index 6d89a9cf33c9..24061f29c9dd 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -203,7 +203,7 @@ BPF_CALL_3(bpf_skb_get_nlattr_nest, struct sk_buff *, skb, u32, a, u32, x)
return 0;
nla = (struct nlattr *) &skb->data[a];
- if (nla->nla_len > skb->len - a)
+ if (!nla_ok(nla, skb->len - a))
return 0;
nla = nla_find_nested(nla, x);
--
2.43.0
