Re: [PATCH] netlink: fix overrun in attribute iteration

[David Wagner]

Vegard Nossum  wrote:
>  /**
>   * nla_ok - check if the netlink attribute fits into the remaining bytes
>   * @nla: netlink attribute
>   * @remaining: number of bytes remaining in attribute stream
>   */
>  static inline int nla_ok(const struct nlattr *nla, int remaining)
>  {
>          return remaining >= sizeof(*nla) &&
>                 nla->nla_len >= sizeof(*nla) &&
>                 nla->nla_len <= remaining;
>  }

If 'remaining' had been declared to be of type size_t, this would
not have happened.

Guideline for secure programming: length values (and counts of bytes)
should be declared as size_t, where possible.

This guideline eliminates many signed/unsigned bugs.  If one also
carefully avoids overflow (wraparound), other integer overflow bugs
are avoided as well.

The code above violates the guideline so we shouldn't be terribly
surprised if it happens to contain signed/unsigned vulnerabilities.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/