econet: disallow NULL remote addr for sendmsg(), fixes CVE-2010-3849

[firefly-linux-kernel-4.4.55.git] / net / phonet / pn_netlink.c

diff --git a/net/phonet/pn_netlink.c b/net/phonet/pn_netlink.c
index d21fd357661022d7b451d26ad93f43301f12b2ac..7acab1ea4fc53ded176566ca91660151a8faddc8 100644 (file)
--- a/net/phonet/pn_netlink.c
+++ b/net/phonet/pn_netlink.c
@@ -68,6 +68,8 @@ static int addr_doit(struct sk_buff *skb, struct nlmsghdr *nlh, void *attr)
        int err;
        u8 pnaddr;
 
+       if (!net_eq(net, &init_net))
+               return -EOPNOTSUPP;
        if (!capable(CAP_SYS_ADMIN))
                return -EPERM;
 
@@ -124,12 +126,16 @@ nla_put_failure:
 
 static int getaddr_dumpit(struct sk_buff *skb, struct netlink_callback *cb)
 {
+       struct net *net = sock_net(skb->sk);
        struct phonet_device_list *pndevs;
        struct phonet_device *pnd;
        int dev_idx = 0, dev_start_idx = cb->args[0];
        int addr_idx = 0, addr_start_idx = cb->args[1];
 
-       pndevs = phonet_device_list(sock_net(skb->sk));
+       if (!net_eq(net, &init_net))
+               goto skip;
+
+       pndevs = phonet_device_list(net);
        spin_lock_bh(&pndevs->lock);
        list_for_each_entry(pnd, &pndevs->list, list) {
                u8 addr;
@@ -154,6 +160,7 @@ static int getaddr_dumpit(struct sk_buff *skb, struct netlink_callback *cb)
 
 out:
        spin_unlock_bh(&pndevs->lock);
+skip:
        cb->args[0] = dev_idx;
        cb->args[1] = addr_idx;