[IPV4]: Convert address deletion to new netlink api
authorThomas Graf <tgraf@suug.ch>
Sat, 5 Aug 2006 06:04:17 +0000 (23:04 -0700)
committerDavid S. Miller <davem@sunset.davemloft.net>
Fri, 22 Sep 2006 21:53:45 +0000 (14:53 -0700)
Fixes various unvalidated netlink attributes causing
memory corruptions when left empty by userspace.

Signed-off-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/ipv4/devinet.c

index 6b297c8697e606f8b7b9e62d36645df06408a902..309640e9ede1f528cf000f07673563f1ea70d742 100644 (file)
@@ -430,34 +430,48 @@ struct in_ifaddr *inet_ifa_byprefix(struct in_device *in_dev, u32 prefix,
 
 static int inet_rtm_deladdr(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg)
 {
-       struct rtattr **rta = arg;
+       struct nlattr *tb[IFA_MAX+1];
        struct in_device *in_dev;
-       struct ifaddrmsg *ifm = NLMSG_DATA(nlh);
+       struct ifaddrmsg *ifm;
        struct in_ifaddr *ifa, **ifap;
+       int err = -EINVAL;
 
        ASSERT_RTNL();
 
-       if ((in_dev = inetdev_by_index(ifm->ifa_index)) == NULL)
-               goto out;
+       err = nlmsg_parse(nlh, sizeof(*ifm), tb, IFA_MAX, ifa_ipv4_policy);
+       if (err < 0)
+               goto errout;
+
+       ifm = nlmsg_data(nlh);
+       in_dev = inetdev_by_index(ifm->ifa_index);
+       if (in_dev == NULL) {
+               err = -ENODEV;
+               goto errout;
+       }
+
        __in_dev_put(in_dev);
 
        for (ifap = &in_dev->ifa_list; (ifa = *ifap) != NULL;
             ifap = &ifa->ifa_next) {
-               if ((rta[IFA_LOCAL - 1] &&
-                    memcmp(RTA_DATA(rta[IFA_LOCAL - 1]),
-                           &ifa->ifa_local, 4)) ||
-                   (rta[IFA_LABEL - 1] &&
-                    rtattr_strcmp(rta[IFA_LABEL - 1], ifa->ifa_label)) ||
-                   (rta[IFA_ADDRESS - 1] &&
-                    (ifm->ifa_prefixlen != ifa->ifa_prefixlen ||
-                     !inet_ifa_match(*(u32*)RTA_DATA(rta[IFA_ADDRESS - 1]),
-                                     ifa))))
+               if (tb[IFA_LOCAL] &&
+                   ifa->ifa_local != nla_get_u32(tb[IFA_LOCAL]))
                        continue;
+
+               if (tb[IFA_LABEL] && nla_strcmp(tb[IFA_LABEL], ifa->ifa_label))
+                       continue;
+
+               if (tb[IFA_ADDRESS] &&
+                   (ifm->ifa_prefixlen != ifa->ifa_prefixlen ||
+                   !inet_ifa_match(nla_get_u32(tb[IFA_ADDRESS]), ifa)))
+                       continue;
+
                inet_del_ifa(in_dev, ifap, 1);
                return 0;
        }
-out:
-       return -EADDRNOTAVAIL;
+
+       err = -EADDRNOTAVAIL;
+errout:
+       return err;
 }
 
 static struct in_ifaddr *rtm_to_ifaddr(struct nlmsghdr *nlh)