Steve Grubb writes:

Hello,

Last November a bug was found in iproute. CAN-2003-0856 has more information.
Basically, netlink packets can come from any user. If a program performs action
based on netlink packets, they must be examined to make sure they came from the
place they are expected (the kernel).

Attached is a patch against pre8. Please apply this before releasing 1.00 final.
All users of busy box may be vulnerable to local attacks without it.

Best Regards,
Steve Grubb

diff --git a/networking/libiproute/libnetlink.c b/networking/libiproute/libnetlink.c
index 861daef86b98c114203dca33b89e40f3021474f9..5545be8fe4728e5d904af10a195ccad8bd455bf9 100644 (file)
--- a/networking/libiproute/libnetlink.c
+++ b/networking/libiproute/libnetlink.c
@@ -161,7 +161,8 @@ int rtnl_dump_filter(struct rtnl_handle *rth,
                while (NLMSG_OK(h, status)) {
                        int err;
 
-                       if (h->nlmsg_pid != rth->local.nl_pid ||
+                       if (nladdr.nl_pid != 0 ||
+                           h->nlmsg_pid != rth->local.nl_pid ||
                            h->nlmsg_seq != rth->dump) {
                                if (junk) {
                                        err = junk(&nladdr, h, arg2);
@@ -270,7 +271,8 @@ int rtnl_talk(struct rtnl_handle *rtnl, struct nlmsghdr *n, pid_t peer,
                                bb_error_msg_and_die("!!!malformed message: len=%d", len);
                        }
 
-                       if (h->nlmsg_pid != rtnl->local.nl_pid ||
+                       if (nladdr.nl_pid != peer ||
+                           h->nlmsg_pid != rtnl->local.nl_pid ||
                            h->nlmsg_seq != seq) {
                                if (junk) {
                                        l_err = junk(&nladdr, h, jarg);