ip6: Perform sanity checks before processing nduseropt messages
authorThomas Graf <tgraf@redhat.com>
Fri, 9 Sep 2011 09:39:06 +0000 (11:39 +0200)
committerDan Williams <dcbw@redhat.com>
Tue, 13 Sep 2011 05:08:30 +0000 (00:08 -0500)
Verifies that the provided message consists of the nduseropt header
followed by an array of options as specified in the header.

src/ip6-manager/nm-ip6-manager.c

index a8e88be..721d43b 100644 (file)
@@ -911,6 +911,13 @@ process_nduseropt (NMIP6Manager *manager, struct nl_msg *msg)
 
        ndmsg = (struct nduseroptmsg *) NLMSG_DATA (nlmsg_hdr (msg));
 
+       if (!nlmsg_valid_hdr (nlmsg_hdr (msg), sizeof (*ndmsg)) ||
+           nlmsg_datalen (nlmsg_hdr (msg)) <
+               (ndmsg->nduseropt_opts_len + sizeof (*ndmsg))) {
+               nm_log_dbg (LOGD_IP6, "ignoring invalid nduseropt message");
+               return NULL;
+       }
+
        if (ndmsg->nduseropt_family != AF_INET6 ||
                ndmsg->nduseropt_icmp_type != ND_ROUTER_ADVERT ||
                ndmsg->nduseropt_icmp_code != 0) {