[Quantal/Raring] [PATCH 1/1] [CVE-2013-1763] sock_diag: Fix out-of-bounds access to sock_diag_handlers[]
Brad Figg
brad.figg at canonical.com
Mon Feb 25 17:45:41 UTC 2013
From: Mathias Krause <minipli at googlemail.com>
CVE-2013-1763
BugLink: http://bugs.launchpad.net/bugs/1132896
Signed-off-by: Mathias Krause <minipli at googlemail.com>
Signed-off-by: Brad Figg <brad.figg at canonical.com>
Signed-off-by: Steve Conklin <sconklin at canonical.com>
Signed-off-by: John Johansen <john.johansen at canonical.com>
---
net/core/sock_diag.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/core/sock_diag.c b/net/core/sock_diag.c
index 5fd1467..964a92c 100644
--- a/net/core/sock_diag.c
+++ b/net/core/sock_diag.c
@@ -126,6 +126,9 @@ static int __sock_diag_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
if (nlmsg_len(nlh) < sizeof(*req))
return -EINVAL;
+ if (req->sdiag_family >= AF_MAX)
+ return -EINVAL;
+
hndl = sock_diag_lock_handler(req->sdiag_family);
if (hndl == NULL)
err = -ENOENT;
--
1.7.9.5
More information about the kernel-team
mailing list