On Wed, Jan 22, 2025 at 04:49:17PM +0300, Dan Carpenter wrote:
> The "payload" variable is type size_t, however the nlmsg_total_size()
> function will a few bytes to it and then truncate the result to type
> int. That means that if "payload" is more than UINT_MAX the alloc_skb()
> function might allocate a buffer which is smaller than intended.
>
> Cc: stable@xxxxxxxxxxxxxxx
> Fixes: bfa83a9e03cf ("[NETLINK]: Type-safe netlink messages/attributes interface")
> Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
> ---
> include/net/netlink.h | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/include/net/netlink.h b/include/net/netlink.h
> index e015ffbed819..ca7a8152e6d4 100644
> --- a/include/net/netlink.h
> +++ b/include/net/netlink.h
> @@ -1015,6 +1015,8 @@ static inline struct nlmsghdr *nlmsg_put_answer(struct sk_buff *skb,
> */
> static inline struct sk_buff *nlmsg_new(size_t payload, gfp_t flags)
> {
> + if (payload > INT_MAX)
> + return NULL;
> return alloc_skb(nlmsg_total_size(payload), flags);
Hi Dan,
I wonder if this is sufficient.
If payload is INT_MAX then won't the call to nlmsg_msg_size() inside
nlmsg_total_size() overflow. And likewise, it feels that NLMSG_ALIGN
could overflow somehow.
