Commit 1a390732 authored by Eric Dumazet's avatar Eric Dumazet Committed by Guo Mengqi
Browse files

phonet: fix rtm_phonet_notify() skb allocation 

mainline inclusion
from mainline-v6.9
commit d8cac8568618dcb8a51af3db1103e8d4cc4aeea7
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9U4L2
CVE: CVE-2024-36946

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d8cac8568618dcb8a51af3db1103e8d4cc4aeea7



--------------------------------

fill_route() stores three components in the skb:

- struct rtmsg
- RTA_DST (u8)
- RTA_OIF (u32)

Therefore, rtm_phonet_notify() should use

NLMSG_ALIGN(sizeof(struct rtmsg)) +
nla_total_size(1) +
nla_total_size(4)

Fixes: f062f41d ("Phonet: routing table Netlink interface")
Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
Acked-by: default avatarRémi Denis-Courmont <courmisch@gmail.com>
Link: https://lore.kernel.org/r/20240502161700.1804476-1-edumazet@google.com


Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
Signed-off-by: default avatarWang Wensheng <wangwensheng4@huawei.com>
parent 47f16eba

net/phonet/pn_netlink.c

+1 −1
Original line number Diff line number Diff line
@@ -193,7 +193,7 @@ void rtm_phonet_notify(int event, struct net_device *dev, u8 dst) 
	struct sk_buff *skb;

	int err = -ENOBUFS;



	skb = nlmsg_new(NLMSG_ALIGN(sizeof(struct ifaddrmsg)) +

	skb = nlmsg_new(NLMSG_ALIGN(sizeof(struct rtmsg)) +

			nla_total_size(1) + nla_total_size(4), GFP_KERNEL);

	if (skb == NULL)

		goto errout;