Hi,
while going through going netlink code I found out that netlink_bind()

does not properly check bind parameters.  I checked both 2.6.23-rc1 as

well as 2.6.16.53, both are affected.
With a small test prog I wasn't able to crash my maschine though, but

data was accessed out of bounds.
Please apply the attached patch.
Thanks.
  /holger

-

See my attached patch, thanks.
  /holger

From: Holger Eitzenberger <holger@my-eitzenberger.de>
Your patch is incorrect and also unnecessary.
Firstly, you patch compares the address _pointer_ against

the minimum length.  That's obviously wrong.
And if you check the call sites of the protocol ->bind() methods, they

all use on-stack buffer for the address object which is at least

MAX_SOCK_ADDR bytes in length so that the bind methods don't have to

check the size if they don't want to.

-

Also true, but in that case you still end up accessing uninitialized

data.  Also note that e. g. inet_bind() checks explicitely for that and

it's not clear to me why netlink_bind() is different.  Maybe you just

help me figuring out.
Another point is that simply calling
 bind(nl_fd, (struct sockaddr *)&an_int, sizeof(int));
will not return EINVAL but depends on the randomn data after an_int.
   /holger
-

The previous patchlet wasn't correct, please apply this one.
Sorry for the noise.
  /holger