bpf: Use nla_ok() instead of checking nla_len directly

nla_len may also be too short to be sane, in which case after recent changes nla_len() will return a wrapped value. Fixes: 172db56d90d2 ("netlink: Return unsigned value for nla_len()") Reported-by: syzbot+f43a23b6e622797c7a28@syzkaller.appspotmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Reviewed-by: Simon Horman <horms@kernel.org> Link: https://lore.kernel.org/bpf/20231218231904.260440-1-kuba@kernel.org
author: Jakub Kicinski <kuba@kernel.org> 2023-12-18 15:19:04 -0800
committer: Daniel Borkmann <daniel@iogearbox.net> 2023-12-19 15:20:40 +0100
commit: 2130c519a401e576647040043cb46d6fdc361dcc (patch)
tree: 23eabf7884fd7854517ff7632c6667abb290fee5 /net/core
parent: f7dd48ea76be30666f0614d6a06061185ed38c60 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/net/core/filter.c b/net/core/filter.c
index 4ff6100c6a27..3cc52b82bab8 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -203,7 +203,7 @@ BPF_CALL_3(bpf_skb_get_nlattr_nest, struct sk_buff *, skb, u32, a, u32, x)
 		return 0;
 
 	nla = (struct nlattr *) &skb->data[a];
-	if (nla->nla_len > skb->len - a)
+	if (!nla_ok(nla, skb->len - a))
 		return 0;
 
 	nla = nla_find_nested(nla, x);
author	Jakub Kicinski <kuba@kernel.org>	2023-12-18 15:19:04 -0800
committer	Daniel Borkmann <daniel@iogearbox.net>	2023-12-19 15:20:40 +0100
commit	2130c519a401e576647040043cb46d6fdc361dcc (patch)
tree	23eabf7884fd7854517ff7632c6667abb290fee5 /net/core
parent	f7dd48ea76be30666f0614d6a06061185ed38c60 (diff)