On Tue, Apr 22, 2014 at 12:30:28PM -0700, Andy Lutomirski wrote: > This is unlikely to be exploitable for anything except an OOPS. > > Cc: stable@xxxxxxxxxxxxxxx > Signed-off-by: Andy Lutomirski <luto@xxxxxxxxxxxxxx> > --- > > Notes: > This is entirely untested, but it looks obviously correct to me. > > crypto/crypto_user.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/crypto/crypto_user.c b/crypto/crypto_user.c > index 1512e41..bc7c4b5 100644 > --- a/crypto/crypto_user.c > +++ b/crypto/crypto_user.c > @@ -460,7 +460,7 @@ static int crypto_user_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh) > int type, err; > > type = nlh->nlmsg_type; > - if (type > CRYPTO_MSG_MAX) > + if (type < CRYPTO_MSG_BASE || type > CRYPTO_MSG_MAX) > return -EINVAL; Adding a check here is obviously harmless but I think this is only called from netlink_rcv_skb() which already checks: if (nlh->nlmsg_type < NLMSG_MIN_TYPE) goto ack; NLMSG_MIN_TYPE is 0x10 as well, so I don't think we can hit your condition. Your patch freaked me out a little because this is one of the bugs that I should have caught throught static analysis. regards, dan carpenter -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html