| From foo@baz Fri Apr 11 08:46:36 PDT 2014 |
| From: Pablo Neira <pablo@netfilter.org> |
| Date: Tue, 1 Apr 2014 19:38:44 +0200 |
| Subject: netlink: don't compare the nul-termination in nla_strcmp |
| |
| From: Pablo Neira <pablo@netfilter.org> |
| |
| [ Upstream commit 8b7b932434f5eee495b91a2804f5b64ebb2bc835 ] |
| |
| nla_strcmp compares the string length plus one, so it's implicitly |
| including the nul-termination in the comparison. |
| |
| int nla_strcmp(const struct nlattr *nla, const char *str) |
| { |
| int len = strlen(str) + 1; |
| ... |
| d = memcmp(nla_data(nla), str, len); |
| |
| However, if NLA_STRING is used, userspace can send us a string without |
| the nul-termination. This is a problem since the string |
| comparison will not match as the last byte may be not the |
| nul-termination. |
| |
| Fix this by skipping the comparison of the nul-termination if the |
| attribute data is nul-terminated. Suggested by Thomas Graf. |
| |
| Cc: Florian Westphal <fw@strlen.de> |
| Cc: Thomas Graf <tgraf@suug.ch> |
| Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| lib/nlattr.c | 10 ++++++++-- |
| 1 file changed, 8 insertions(+), 2 deletions(-) |
| |
| --- a/lib/nlattr.c |
| +++ b/lib/nlattr.c |
| @@ -303,9 +303,15 @@ int nla_memcmp(const struct nlattr *nla, |
| */ |
| int nla_strcmp(const struct nlattr *nla, const char *str) |
| { |
| - int len = strlen(str) + 1; |
| - int d = nla_len(nla) - len; |
| + int len = strlen(str); |
| + char *buf = nla_data(nla); |
| + int attrlen = nla_len(nla); |
| + int d; |
| |
| + if (attrlen > 0 && buf[attrlen - 1] == '\0') |
| + attrlen--; |
| + |
| + d = attrlen - len; |
| if (d == 0) |
| d = memcmp(nla_data(nla), str, len); |
| |