From 6c8161d69fe9fce0f862b678aaa84866aaaeff8f Mon Sep 17 00:00:00 2001 From: Eric Andersen Date: Wed, 5 May 2004 07:05:32 +0000 Subject: [PATCH] Steve Grubb writes: Hello, Last November a bug was found in iproute. CAN-2003-0856 has more information. Basically, netlink packets can come from any user. If a program performs action based on netlink packets, they must be examined to make sure they came from the place they are expected (the kernel). Attached is a patch against pre8. Please apply this before releasing 1.00 final. All users of busy box may be vulnerable to local attacks without it. Best Regards, Steve Grubb --- networking/libiproute/libnetlink.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/networking/libiproute/libnetlink.c b/networking/libiproute/libnetlink.c index 861daef86..5545be8fe 100644 --- a/networking/libiproute/libnetlink.c +++ b/networking/libiproute/libnetlink.c @@ -161,7 +161,8 @@ int rtnl_dump_filter(struct rtnl_handle *rth, while (NLMSG_OK(h, status)) { int err; - if (h->nlmsg_pid != rth->local.nl_pid || + if (nladdr.nl_pid != 0 || + h->nlmsg_pid != rth->local.nl_pid || h->nlmsg_seq != rth->dump) { if (junk) { err = junk(&nladdr, h, arg2); @@ -270,7 +271,8 @@ int rtnl_talk(struct rtnl_handle *rtnl, struct nlmsghdr *n, pid_t peer, bb_error_msg_and_die("!!!malformed message: len=%d", len); } - if (h->nlmsg_pid != rtnl->local.nl_pid || + if (nladdr.nl_pid != peer || + h->nlmsg_pid != rtnl->local.nl_pid || h->nlmsg_seq != seq) { if (junk) { l_err = junk(&nladdr, h, jarg);