Re: [PATCH] netlink: fix overrun in attribute iteration

From: Vegard Nossum
Date: Fri Sep 12 2008 - 01:49:19 EST

On Fri, Sep 12, 2008 at 5:51 AM, David Wagner <daw@xxxxxxxxxxxxxxx> wrote:
> Vegard Nossum wrote:
>> /**
>> * nla_ok - check if the netlink attribute fits into the remaining bytes
>> * @nla: netlink attribute
>> * @remaining: number of bytes remaining in attribute stream
>> */
>> static inline int nla_ok(const struct nlattr *nla, int remaining)
>> {
>> return remaining >= sizeof(*nla) &&
>> nla->nla_len >= sizeof(*nla) &&
>> nla->nla_len <= remaining;
>> }
> If 'remaining' had been declared to be of type size_t, this would
> not have happened.

Hm. Yes, it would!

The problem here is that "remaining" can legitimately contain negative
values (see the pointer advancement in nla_next()). And size_t can't
hold negative values.


"The animistic metaphor of the bug that maliciously sneaked in while
the programmer was not looking is intellectually dishonest as it
disguises that the error is the programmer's own creation."
-- E. W. Dijkstra, EWD1036
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at
Please read the FAQ at