This is a note to let you know that I've just added the patch titled rtnetlink: Mask the rta_type when range checking to the 3.8-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: rtnetlink-mask-the-rta_type-when-range-checking.patch and it can be found in the queue-3.8 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From 8e19bd050e8d9290964fa9b758fede105579ede9 Mon Sep 17 00:00:00 2001 From: Vlad Yasevich <vyasevic@xxxxxxxxxx> Date: Wed, 13 Mar 2013 04:18:58 +0000 Subject: rtnetlink: Mask the rta_type when range checking From: Vlad Yasevich <vyasevic@xxxxxxxxxx> [ Upstream commit a5b8db91442fce9c9713fcd656c3698f1adde1d6 ] Range/validity checks on rta_type in rtnetlink_rcv_msg() do not account for flags that may be set. This causes the function to return -EINVAL when flags are set on the type (for example NLA_F_NESTED). Signed-off-by: Vlad Yasevich <vyasevic@xxxxxxxxxx> Acked-by: Thomas Graf <tgraf@xxxxxxx> Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- net/core/rtnetlink.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/net/core/rtnetlink.c +++ b/net/core/rtnetlink.c @@ -2539,7 +2539,7 @@ static int rtnetlink_rcv_msg(struct sk_b struct rtattr *attr = (void *)nlh + NLMSG_ALIGN(min_len); while (RTA_OK(attr, attrlen)) { - unsigned int flavor = attr->rta_type; + unsigned int flavor = attr->rta_type & NLA_TYPE_MASK; if (flavor) { if (flavor > rta_max[sz_idx]) return -EINVAL; Patches currently in stable-queue which might be from vyasevic@xxxxxxxxxx are queue-3.8/rtnetlink-mask-the-rta_type-when-range-checking.patch -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html